Analysis Overview
Threat Level: Known bad
The file https://gofile.io/d/10lzhS was found to be: Known bad.
Malicious Activity Summary
XenArmor Suite
Xworm
Detect Xworm Payload
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Reads user/profile data of local email clients
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
UPX packed file
ACProtect 1.3x - 1.4x DLL software
Drops startup file
Checks computer location settings
Enumerates connected drives
Adds Run key to start application
Looks up external IP address via web service
Accesses Microsoft Outlook accounts
Sets desktop wallpaper using registry
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
Enumerates system info in registry
Checks processor information in registry
Uses Volume Shadow Copy service COM API
Suspicious use of FindShellTrayWindow
Checks SCSI registry key(s)
NTFS ADS
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SendNotifyMessage
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Modifies registry class
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-08 19:42
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 19:42
Reported
2024-06-08 19:59
Platform
win10v2004-20240426-en
Max time kernel
959s
Max time network
1047s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XenArmor Suite
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\XClient.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.lnk | C:\Users\Admin\Downloads\XClient.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.lnk | C:\Users\Admin\Downloads\XClient.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\XClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\XClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\XClient.exe | N/A |
| N/A | N/A | C:\ProgramData\conhost.exe | N/A |
| N/A | N/A | C:\ProgramData\conhost.exe | N/A |
| N/A | N/A | C:\ProgramData\conhost.exe | N/A |
| N/A | N/A | C:\ProgramData\conhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cdjypv.exe | N/A |
| N/A | N/A | C:\ProgramData\conhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\epxlcn.exe | N/A |
| N/A | N/A | C:\ProgramData\conhost.exe | N/A |
| N/A | N/A | C:\ProgramData\conhost.exe | N/A |
| N/A | N/A | C:\ProgramData\conhost.exe | N/A |
| N/A | N/A | C:\ProgramData\conhost.exe | N/A |
| N/A | N/A | C:\ProgramData\conhost.exe | N/A |
| N/A | N/A | C:\ProgramData\conhost.exe | N/A |
| N/A | N/A | C:\ProgramData\conhost.exe | N/A |
| N/A | N/A | C:\ProgramData\conhost.exe | N/A |
| N/A | N/A | C:\ProgramData\conhost.exe | N/A |
| N/A | N/A | C:\ProgramData\conhost.exe | N/A |
| N/A | N/A | C:\ProgramData\conhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\All-In-One.exe | N/A |
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\All-In-One.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\ProgramData\\conhost.exe" | C:\Users\Admin\Downloads\XClient.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\M: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\mfc110chs.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\mfc110fra.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\mfc110kor.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\vcomp110.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\mfc110.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\mfc110cht.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\mfc110deu.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\mfc110jpn.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\vcamp110.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\mfc110u.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\mfcm110u.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\mfc110enu.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\mfc110esn.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\mfc110ita.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\mfc110rus.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\mfcm110.dll | C:\Windows\system32\msiexec.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\Wallpaper = "C:\\vcredist2010_x64.log.html" | C:\Users\Admin\Downloads\XClient.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSI7CD2.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI112D.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\00006109E70000000100000000F01FEC\16.0.12527\msvcp140_1.dll_x86 | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI62DE.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1355.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\00006109E70000000100000000F01FEC\16.0.12527\concrt140.dll_x86 | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7C63.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1354.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\00006109E70000000100000000F01FEC\16.0.12527\vccorlib140.dll_x64 | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7B88.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\00006109E70000000100000000F01FEC\CacheSize.txt | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\00006109E70000000100000000F01FEC\16.0.12527\concrt140.dll_x64 | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\00006109E70000000100000000F01FEC\16.0.12527\vcruntime140.dll_x64 | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\00006109E70000000100000000F01FEC\16.0.12527\msvcp140_1.dll_x64 | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI4C67.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI11DA.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1277.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\00006109E70000000100000000F01FEC\16.0.12527\msvcp140.dll_x86 | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF06D.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI12F5.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\00006109E70000000100000000F01FEC\16.0.12527\vccorlib140.dll_x86 | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\00006109E70000000100000000F01FEC\16.0.12527\msvcp140.dll_x64 | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\00006109E70000000100000000F01FEC\16.0.12527\vcruntime140.dll_x86 | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIFE4.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\$PatchCache$\Managed\00006109E70000000100000000F01FEC\CacheSize.txt | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000d9d47eb9a1a06eb40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000d9d47eb90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900d9d47eb9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dd9d47eb9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000d9d47eb900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\Downloads\XClient.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Downloads\XClient.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate | C:\Users\Admin\Downloads\XClient.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\Downloads\XClient.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion | C:\Users\Admin\Downloads\XClient.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\Downloads\XClient.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2d | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2D | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2F | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\31 | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2f | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\30 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\30 | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2E | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\31 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\32 | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2B | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2C | C:\Windows\system32\msiexec.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00006109E70000000100000000F01FEC\SourceList\LastUsedSource = "n;1;C:\\program files\\microsoft office\\root\\integration\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings | C:\Windows\system32\calc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\\packages\\vcRuntimeMinimum_x86\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\\packages\\vcRuntimeAdditional_amd64\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\packages\\vcRuntimeMinimum_amd64\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\\packages\\vcRuntimeAdditional_x86\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00006109E70000000100000000F01FEC\SourceList | C:\Windows\system32\msiexec.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 913486.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\XClient.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\XClient.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\XClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\XClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\XClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\XClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\conhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\conhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\conhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\conhost.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\conhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\conhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\conhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\conhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\conhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\conhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\conhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\conhost.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\conhost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SYSTEM32\MsiExec.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\XClient.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\XClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\All-In-One.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\All-In-One.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/10lzhS
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8354246f8,0x7ff835424708,0x7ff835424718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,16020548269046679382,466963119071923158,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,16020548269046679382,466963119071923158,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,16020548269046679382,466963119071923158,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16020548269046679382,466963119071923158,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16020548269046679382,466963119071923158,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16020548269046679382,466963119071923158,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,16020548269046679382,466963119071923158,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,16020548269046679382,466963119071923158,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16020548269046679382,466963119071923158,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16020548269046679382,466963119071923158,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16020548269046679382,466963119071923158,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16020548269046679382,466963119071923158,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16020548269046679382,466963119071923158,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2156,16020548269046679382,466963119071923158,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5336 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16020548269046679382,466963119071923158,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2156,16020548269046679382,466963119071923158,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6204 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,16020548269046679382,466963119071923158,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6244 /prefetch:8
C:\Users\Admin\Downloads\XClient.exe
"C:\Users\Admin\Downloads\XClient.exe"
C:\Users\Admin\Downloads\XClient.exe
"C:\Users\Admin\Downloads\XClient.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'conhost.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "conhost" /tr "C:\ProgramData\conhost.exe"
C:\Users\Admin\Downloads\XClient.exe
"C:\Users\Admin\Downloads\XClient.exe"
C:\ProgramData\conhost.exe
C:\ProgramData\conhost.exe
C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\ProgramData\conhost.exe
C:\ProgramData\conhost.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://pornhub.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8354246f8,0x7ff835424708,0x7ff835424718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16020548269046679382,466963119071923158,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16020548269046679382,466963119071923158,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16020548269046679382,466963119071923158,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,16020548269046679382,466963119071923158,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6024 /prefetch:2
C:\ProgramData\conhost.exe
C:\ProgramData\conhost.exe
C:\ProgramData\conhost.exe
C:\ProgramData\conhost.exe
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c start calc
C:\Windows\system32\calc.exe
calc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://pornhub.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8354246f8,0x7ff835424708,0x7ff835424718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,7566321662052949644,13485049516917258837,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,7566321662052949644,13485049516917258837,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,7566321662052949644,13485049516917258837,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7566321662052949644,13485049516917258837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7566321662052949644,13485049516917258837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7566321662052949644,13485049516917258837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,7566321662052949644,13485049516917258837,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,7566321662052949644,13485049516917258837,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e8 0x4c0
C:\Users\Admin\AppData\Local\Temp\cdjypv.exe
"C:\Users\Admin\AppData\Local\Temp\cdjypv.exe"
C:\ProgramData\conhost.exe
C:\ProgramData\conhost.exe
C:\Users\Admin\AppData\Local\Temp\epxlcn.exe
"C:\Users\Admin\AppData\Local\Temp\epxlcn.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd"
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\ProgramData\conhost.exe
C:\ProgramData\conhost.exe
C:\Windows\SYSTEM32\CMD.EXE
"CMD.EXE"
C:\ProgramData\conhost.exe
C:\ProgramData\conhost.exe
C:\ProgramData\conhost.exe
C:\ProgramData\conhost.exe
C:\ProgramData\conhost.exe
C:\ProgramData\conhost.exe
C:\ProgramData\conhost.exe
C:\ProgramData\conhost.exe
C:\ProgramData\conhost.exe
C:\ProgramData\conhost.exe
C:\ProgramData\conhost.exe
C:\ProgramData\conhost.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e8 0x4c0
C:\ProgramData\conhost.exe
C:\ProgramData\conhost.exe
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /I{71024AE4-039E-4CA4-87B4-2F64180401F0}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /I{64A3A4F4-B792-11D6-A78A-00B0D0180381}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-AC0F074E4100}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{2BB73336-4F69-4141-9797-E9BD6FE3980A}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{79043ED0-7ED1-4227-A5E5-04C5594D21F7}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{9BE518E6-ECC6-35A9-88E4-87755C07200F}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{1D8E6291-B0D5-35EC-8441-6616F567A0F7}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{37B8F9C7-03FB-3253-8781-2517C99D7C00}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{B175520C-86A2-35A7-8619-86DC379688B9}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{CB0836EC-B072-368D-82B2-D3470BF95707}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{7DAD0258-515C-3DD4-8964-BD714199E0F7}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /I{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /I{662A0088-6FCD-45DD-9EA7-68674058AED5}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /I{BF08E976-B92E-4336-B56F-2171179476C4}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /I{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{90160000-008C-0000-1000-0000000FF1CE}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /I{90160000-007E-0000-1000-0000000FF1CE}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{90160000-008C-0409-1000-0000000FF1CE}
C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 6DF517BDE64F5C274F3FB228188117B3 C
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 8386003F77F18062654E610D0525C7E6 C
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{E634F316-BEB6-4FB3-A612-F7102F576165}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{9F51D16B-42E8-4A4A-8228-75045541A2AE}
C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding E70B036A2B35AE75AF9301DF807A294B C
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}
C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 1AC3F9D65F7E9DD2FC7FF591025EAF71
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /I{71024AE4-039E-4CA4-87B4-2F64180401F0}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{79043ED0-7ED1-4227-A5E5-04C5594D21F7}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{9BE518E6-ECC6-35A9-88E4-87755C07200F}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{1D8E6291-B0D5-35EC-8441-6616F567A0F7}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{37B8F9C7-03FB-3253-8781-2517C99D7C00}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{B175520C-86A2-35A7-8619-86DC379688B9}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{CB0836EC-B072-368D-82B2-D3470BF95707}
C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding B8546DC2ABEB31A79CDD06F4EDD7C0A1 C
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{7DAD0258-515C-3DD4-8964-BD714199E0F7}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /I{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /I{662A0088-6FCD-45DD-9EA7-68674058AED5}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /I{BF08E976-B92E-4336-B56F-2171179476C4}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /I{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{E634F316-BEB6-4FB3-A612-F7102F576165}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{90160000-008C-0000-1000-0000000FF1CE}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /I{90160000-007E-0000-1000-0000000FF1CE}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{9F51D16B-42E8-4A4A-8228-75045541A2AE}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{90160000-008C-0409-1000-0000000FF1CE}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /I{64A3A4F4-B792-11D6-A78A-00B0D0180381}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-AC0F074E4100}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{2BB73336-4F69-4141-9797-E9BD6FE3980A}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /I{71024AE4-039E-4CA4-87B4-2F64180401F0}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{9F51D16B-42E8-4A4A-8228-75045541A2AE}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{2BB73336-4F69-4141-9797-E9BD6FE3980A}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{9BE518E6-ECC6-35A9-88E4-87755C07200F}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{1D8E6291-B0D5-35EC-8441-6616F567A0F7}
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 6E2E7569C2CA3DFC9B2E34B1D7DAD3D0 C
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{37B8F9C7-03FB-3253-8781-2517C99D7C00}
C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding D2928CD02F24FD72BAA8F47540A0B782 C
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}
C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 7A159F207CF890C5F241C305FB819CA4 C
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{B175520C-86A2-35A7-8619-86DC379688B9}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{CB0836EC-B072-368D-82B2-D3470BF95707}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{7DAD0258-515C-3DD4-8964-BD714199E0F7}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /I{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /I{662A0088-6FCD-45DD-9EA7-68674058AED5}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /I{BF08E976-B92E-4336-B56F-2171179476C4}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /I{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{E634F316-BEB6-4FB3-A612-F7102F576165}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{90160000-008C-0000-1000-0000000FF1CE}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /I{90160000-007E-0000-1000-0000000FF1CE}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{90160000-008C-0409-1000-0000000FF1CE}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-AC0F074E4100}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{79043ED0-7ED1-4227-A5E5-04C5594D21F7}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /I{64A3A4F4-B792-11D6-A78A-00B0D0180381}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /I{71024AE4-039E-4CA4-87B4-2F64180401F0}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{2BB73336-4F69-4141-9797-E9BD6FE3980A}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{79043ED0-7ED1-4227-A5E5-04C5594D21F7}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 2EBF3AE34EF2CDE9DB65DC54B43F4AD7 C
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{9BE518E6-ECC6-35A9-88E4-87755C07200F}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{1D8E6291-B0D5-35EC-8441-6616F567A0F7}
C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding A8B05C6B7A0B81DB67713F17D03C3B0D C
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{37B8F9C7-03FB-3253-8781-2517C99D7C00}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}
C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding E722ACA26E9AF728674E2E70307E5DF6 C
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{B175520C-86A2-35A7-8619-86DC379688B9}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{CB0836EC-B072-368D-82B2-D3470BF95707}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{7DAD0258-515C-3DD4-8964-BD714199E0F7}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /I{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /I{662A0088-6FCD-45DD-9EA7-68674058AED5}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /I{BF08E976-B92E-4336-B56F-2171179476C4}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /I{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{E634F316-BEB6-4FB3-A612-F7102F576165}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /I{64A3A4F4-B792-11D6-A78A-00B0D0180381}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{90160000-008C-0409-1000-0000000FF1CE}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{90160000-008C-0000-1000-0000000FF1CE}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{9F51D16B-42E8-4A4A-8228-75045541A2AE}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-AC0F074E4100}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /I{90160000-007E-0000-1000-0000000FF1CE}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{9F51D16B-42E8-4A4A-8228-75045541A2AE}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{7447A794-FA2E-42BE-BA9A-5FCBD54C5DF3}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{BCC2FB07-8CF0-4542-B10C-61BCEF04AFF2}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{79043ED0-7ED1-4227-A5E5-04C5594D21F7}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}
C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding D4D92784BAA2CC0783E07AAABD5D6EDB C
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{9BE518E6-ECC6-35A9-88E4-87755C07200F}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-AC0F074E4100}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /I{64A3A4F4-B792-11D6-A78A-00B0D0180381}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{2BB73336-4F69-4141-9797-E9BD6FE3980A}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{B175520C-86A2-35A7-8619-86DC379688B9}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding DF45E71E1523936E254B2D15096726D9 C
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{CB0836EC-B072-368D-82B2-D3470BF95707}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{7DAD0258-515C-3DD4-8964-BD714199E0F7}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /I{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /I{662A0088-6FCD-45DD-9EA7-68674058AED5}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /I{BF08E976-B92E-4336-B56F-2171179476C4}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /I{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding E8A68880DB37AAB5E75118BD58D9EA22 C
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{E634F316-BEB6-4FB3-A612-F7102F576165}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{90160000-008C-0000-1000-0000000FF1CE}
C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 11C787BE037E96803A7E61203653D8C3 C
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /I{90160000-007E-0000-1000-0000000FF1CE}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{90160000-008C-0409-1000-0000000FF1CE}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /I{71024AE4-039E-4CA4-87B4-2F64180401F0}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{37B8F9C7-03FB-3253-8781-2517C99D7C00}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}
C:\Windows\SYSTEM32\MsiExec.exe
MsiExec.exe /X{1D8E6291-B0D5-35EC-8441-6616F567A0F7}
C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 8E8B520673086B8E40285F25926D26EA C
C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding B791E83FAEB5CBA56067F0537E0266C9
C:\ProgramData\conhost.exe
C:\ProgramData\conhost.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F1C09B284E0EBA98CCF376A415BA470C
C:\ProgramData\conhost.exe
C:\ProgramData\conhost.exe
C:\ProgramData\conhost.exe
C:\ProgramData\conhost.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Cd %temp% && All-In-One.exe OutPut.json
C:\Users\Admin\AppData\Local\Temp\All-In-One.exe
All-In-One.exe OutPut.json
C:\ProgramData\conhost.exe
C:\ProgramData\conhost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gofile.io | udp |
| FR | 51.38.43.18:443 | gofile.io | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.43.38.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| FR | 151.80.29.83:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | 83.29.80.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s.gofile.io | udp |
| FR | 51.75.242.210:443 | s.gofile.io | tcp |
| FR | 51.75.242.210:443 | s.gofile.io | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| FR | 51.75.242.210:443 | s.gofile.io | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.242.75.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | store10.gofile.io | udp |
| FR | 31.14.70.252:443 | store10.gofile.io | tcp |
| FR | 31.14.70.252:443 | store10.gofile.io | tcp |
| US | 8.8.8.8:53 | 252.70.14.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| N/A | 127.0.0.1:15871 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| N/A | 127.0.0.1:15871 | tcp | |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:15871 | tcp | |
| US | 8.8.8.8:53 | moving-agenda.gl.at.ply.gg | udp |
| US | 147.185.221.20:15871 | moving-agenda.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 20.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pornhub.com | udp |
| US | 66.254.114.41:80 | pornhub.com | tcp |
| US | 66.254.114.41:80 | pornhub.com | tcp |
| US | 66.254.114.41:443 | pornhub.com | tcp |
| US | 8.8.8.8:53 | www.pornhub.com | udp |
| US | 8.8.8.8:53 | static.trafficjunky.com | udp |
| US | 8.8.8.8:53 | ei.phncdn.com | udp |
| GB | 64.210.156.20:443 | ei.phncdn.com | tcp |
| GB | 64.210.156.20:443 | ei.phncdn.com | tcp |
| GB | 64.210.156.22:443 | ei.phncdn.com | tcp |
| GB | 64.210.156.22:443 | ei.phncdn.com | tcp |
| GB | 64.210.156.22:443 | ei.phncdn.com | tcp |
| GB | 64.210.156.22:443 | ei.phncdn.com | tcp |
| GB | 64.210.156.22:443 | ei.phncdn.com | tcp |
| GB | 64.210.156.22:443 | ei.phncdn.com | tcp |
| US | 8.8.8.8:53 | 41.114.254.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | media.trafficjunky.net | udp |
| US | 8.8.8.8:53 | prvc.io | udp |
| US | 8.8.8.8:53 | cdn1-smallimg.phncdn.com | udp |
| GB | 64.210.156.16:443 | media.trafficjunky.net | tcp |
| US | 66.254.114.156:443 | cdn1-smallimg.phncdn.com | tcp |
| US | 172.67.177.254:443 | prvc.io | tcp |
| GB | 64.210.156.22:443 | media.trafficjunky.net | tcp |
| US | 8.8.8.8:53 | 20.156.210.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ss.phncdn.com | udp |
| US | 8.8.8.8:53 | 22.156.210.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.156.210.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.114.254.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.177.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.214.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.75.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a.adtng.com | udp |
| US | 66.254.114.171:443 | a.adtng.com | tcp |
| US | 8.8.8.8:53 | eg-cdn.trafficjunky.net | udp |
| PL | 93.184.223.43:443 | eg-cdn.trafficjunky.net | tcp |
| US | 8.8.8.8:53 | ht-cdn2.adtng.com | udp |
| US | 8.8.8.8:53 | hw-cdn2.adtng.com | udp |
| GB | 64.210.156.23:443 | ht-cdn2.adtng.com | tcp |
| GB | 64.210.156.4:443 | hw-cdn2.adtng.com | tcp |
| US | 8.8.8.8:53 | 43.223.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.114.254.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.156.210.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.156.210.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | storage.googleapis.com | udp |
| FR | 172.217.18.219:443 | storage.googleapis.com | tcp |
| US | 8.8.8.8:53 | 219.18.217.172.in-addr.arpa | udp |
| US | 147.185.221.20:15871 | moving-agenda.gl.at.ply.gg | tcp |
| US | 147.185.221.20:15871 | moving-agenda.gl.at.ply.gg | tcp |
| US | 147.185.221.20:15871 | moving-agenda.gl.at.ply.gg | tcp |
| US | 66.254.114.41:80 | www.pornhub.com | tcp |
| US | 66.254.114.41:80 | www.pornhub.com | tcp |
| US | 66.254.114.41:443 | www.pornhub.com | tcp |
| US | 172.67.177.254:443 | prvc.io | tcp |
| GB | 64.210.156.22:443 | ht-cdn2.adtng.com | tcp |
| PL | 93.184.223.43:443 | eg-cdn.trafficjunky.net | tcp |
| US | 8.8.8.8:53 | ht-cdn.trafficjunky.net | udp |
| GB | 64.210.156.21:443 | ht-cdn.trafficjunky.net | tcp |
| US | 8.8.8.8:53 | 21.156.210.64.in-addr.arpa | udp |
| US | 147.185.221.20:15871 | moving-agenda.gl.at.ply.gg | tcp |
| US | 147.185.221.20:15871 | moving-agenda.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 31.73.42.20.in-addr.arpa | udp |
| US | 147.185.221.20:15871 | moving-agenda.gl.at.ply.gg | tcp |
| US | 147.185.221.20:15871 | moving-agenda.gl.at.ply.gg | tcp |
| US | 147.185.221.20:15871 | moving-agenda.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | gofile.io | udp |
| FR | 51.38.43.18:443 | gofile.io | tcp |
| US | 147.185.221.20:15871 | moving-agenda.gl.at.ply.gg | tcp |
| US | 147.185.221.20:15871 | moving-agenda.gl.at.ply.gg | tcp |
| US | 147.185.221.20:15871 | moving-agenda.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | www.example.com | udp |
| US | 93.184.215.14:80 | www.example.com | tcp |
| US | 8.8.8.8:53 | 14.215.184.93.in-addr.arpa | udp |
| US | 147.185.221.20:15871 | moving-agenda.gl.at.ply.gg | tcp |
| US | 147.185.221.20:15871 | moving-agenda.gl.at.ply.gg | tcp |
| US | 147.185.221.20:15871 | moving-agenda.gl.at.ply.gg | tcp |
| US | 147.185.221.20:15871 | moving-agenda.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 76.234.34.23.in-addr.arpa | udp |
| US | 147.185.221.20:15871 | moving-agenda.gl.at.ply.gg | tcp |
| US | 147.185.221.20:15871 | moving-agenda.gl.at.ply.gg | tcp |
| US | 147.185.221.20:15871 | moving-agenda.gl.at.ply.gg | tcp |
| US | 147.185.221.20:15871 | moving-agenda.gl.at.ply.gg | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ecdc2754d7d2ae862272153aa9b9ca6e |
| SHA1 | c19bed1c6e1c998b9fa93298639ad7961339147d |
| SHA256 | a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7 |
| SHA512 | cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2 |
\??\pipe\LOCAL\crashpad_5108_KTVYDDKBLLYLFTRS
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 2daa93382bba07cbc40af372d30ec576 |
| SHA1 | c5e709dc3e2e4df2ff841fbde3e30170e7428a94 |
| SHA256 | 1826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30 |
| SHA512 | 65635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 0b07b81529b1d88720a6738930294899 |
| SHA1 | ba33e9e6d41e55c3682035784c93c75e82eac90d |
| SHA256 | 6ae3ea41e3676ff70e8d21798cf0cd4284a8c0c6a38d924d192b7884e57fc2e8 |
| SHA512 | 89631a6206ee5d7ce4771fb4ff5aaf8b8af5b43871bb99a57d32c815ad4cbd75b53773d210f63a779f0a9cca3badeb577eccbbadba73fe2b3b7a3813257c8bdc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\Downloads\Unconfirmed 913486.crdownload
| MD5 | 19faa0214868d724e4f7f42adaf71e6a |
| SHA1 | 3cf883dc01acf437bacba47231e4dbccbd56dd3e |
| SHA256 | b2159dd49b880e024d8d7e037d31f4206992ff4bf498128a3cf6e77899a4b166 |
| SHA512 | 386319ef7b241959b9ba2b9d57bfcefb9eba49ac0c80ace71793f4f69d94758969ca42109ea76f2a0655d9d9711a80acbac83795de25e4617a3a3fc73131dc22 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 819b1fee84b89762969ed3e70cd5dfe2 |
| SHA1 | 2821ec955061724783fde648d80f3b3da7becb72 |
| SHA256 | 9b76f26c0f54f218481d9d74cab38e8b27bd2668c42b87480c303a023adeab1a |
| SHA512 | c3a17ad823ac44ed458392f89ee66cbc7abd5498bd3a70277c11200d4aab0e9a074ee158dbc6224e984484c8bde5ae445947b461431b180fd89af7c43766f197 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | db41625809fa6ab42ebbdcfe1acb7126 |
| SHA1 | 0fcf5c21d98f0492a63a2a85ff7610f9c221f871 |
| SHA256 | 039372eb2c706226607e0e7f5964961b4793c8e076cd99430c4aa0b1ef50c93f |
| SHA512 | 7872313b8ef185070c42ab01ebd76b0971f76ae47b0b152e962c77fb64dd0f137df5a94cec2f0d5109a27e6215e4e1fc5943869673856b956834fb68f066cf2b |
memory/4948-105-0x0000000000F20000-0x0000000000F38000-memory.dmp
memory/5264-119-0x00000199A9550000-0x00000199A9572000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lnvwwumg.lp1.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9bc110200117a3752313ca2acaf8a9e1 |
| SHA1 | fda6b7da2e7b0175b391475ca78d1b4cf2147cd3 |
| SHA256 | c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb |
| SHA512 | 1f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 54522d22658e4f8f87ecb947b71b8feb |
| SHA1 | 6a6144bdf9c445099f52211b6122a2ecf72b77e9 |
| SHA256 | af18fc4864bc2982879aed928c960b6266f372c928f8c9632c5a4eecd64e448a |
| SHA512 | 55f2c5a455be20dcb4cb93a29e5389e0422237bdd7ac40112fec6f16a36e5e19df50d25d39a6d5acb2d41a96514c7ecd8631ce8e67c4ff04997282f49d947aba |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 9c4649f0462d087c809e97f8ab5754d9 |
| SHA1 | 524a46657fc1fd7b4ac81e30a98a6f7dae51c945 |
| SHA256 | 5dc9b1ac1781a8a78188217137dce27c0d51dce85408809d289bf90d6b4aa0e1 |
| SHA512 | 90dc3542b04663df76e16ea5b237b7775ef7af38b790b7f06484d1db5877a7bab2e4950b3dbe014d9f5a3b0b127342dfe27f4bda8bf605c935bbaeb5e09d831c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 5f7f35e80522be5990b1b03df789cf02 |
| SHA1 | bd3a7b6ba8902672fa7049c5725e82dea29c3976 |
| SHA256 | 25d3ceab3bd8d83ee88385fd7e880fe957238db4b4beb19183b53b439027b557 |
| SHA512 | 375c0065fe3f668ba45eab0a9b2f452a711f66dac060bfb864535c67f5e51a0a56174f8a2f792d81d7a33d5ff12ccac9ff5c508d41ece31f094cde7fdebbb5f1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | f0f3cf41824632d80f69aedc7071268e |
| SHA1 | 546491bee25242fa90ab7c9b3fa369e328470d01 |
| SHA256 | 6029944979ab6129f2d9449a901592d5279717ea26cf3aa575f1c4431ed0f7df |
| SHA512 | 5de7fca9a08f09b149c9f0ea4dd5d773649d701f5c156607853d734b969899d800ee88be2623345d8202c45c39866fb4c6a4eac6d6c1e57363dadb13b698e62d |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | afc6cddd7e64d81e52b729d09f227107 |
| SHA1 | ad0d3740f4b66de83db8862911c07dc91928d2f6 |
| SHA256 | b5e81a7c7d80feaaa10ee7bc8aaef9f21a5c1e4b03b3823ed115022311d674a0 |
| SHA512 | 844edb69585153c378a7c97709983776fc9303a32fb5ef8122ecca32adfc0b265f5ef7118ee07814da5c020ac7ba1bf2a2f66d46312e4d8e6df99aab2e5f9b2a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b3e73d1f31e6b966be375503896a0d12 |
| SHA1 | c7a14129d151ebf8292a1243107f647b6a8f342b |
| SHA256 | 2e9177e3342a223bdfbfe830b1e0b0d789697a92a85f5af7783902a6552fe5ca |
| SHA512 | 5608b61402c56169315d3071ae8ddb13dafac2483eab65e3688f18ab7012ba18e495a3d092e5f87bf908ed05275d46fbe40f4fc48e8e21ad35b81ad3ff0adb4b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\791038f4-201a-4d7f-a0a2-f8118abc21d1.tmp
| MD5 | aaa9df7c9762523e22d98ee101e7dfa0 |
| SHA1 | 8326f03b96c5ea72b93322924cd59d71a4dc1856 |
| SHA256 | ed0441b0ed4b7a69827178251264f75161c98c84f6b7c9a892a3af579f635e24 |
| SHA512 | ec70fff26fead2da3df006523f58a483a032d617145678b3df9fdb98df5bbdb7256beddce1de15138c165ee288c12ac0459e67369257c99d21e1f6dd067e8319 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58f940.TMP
| MD5 | e92f8923b75d201e6498c04ba26497df |
| SHA1 | 76a84e42b08c6ce58b55eeba7a88aa1aa30447d9 |
| SHA256 | 67918ed05bc9a50a798dc2b850de87781256e1e3de9c686be9d45f389cb7b0a1 |
| SHA512 | de7dd76c68997090ef5d1fdf753b17e334758c42aa785b36ce730fda4c3494dd55dc29546a606076ed32294f0fd08bec789acfbd551430cf68b893d1a97b3d19 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | d433a45d0810787e4956fdfe9ffd0d8c |
| SHA1 | 229cc4f28b49bc630c167ad99f8e86387d3b6b7c |
| SHA256 | 24be546de1c068de3eeae68a5c0e32157ec0bc364f2bba67a6c9a2dae103a35d |
| SHA512 | 4ffab0a1b31dc1e17d33abfbbc55727af19133eba4306bad00f023c0a1ccccb3ea818300a06f4668b3bbbd3704543896e00225232a3ef176f648677517245ca5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | d1d4a7164a41b706026770f7bd01561d |
| SHA1 | 367f3a58a9791fc5f9f04ca80c36b0987f613d10 |
| SHA256 | 21a45dda04dc16f6883521c8e1221d01e2a5b08e8445f8b9deefbc95b9b33b02 |
| SHA512 | 637ee0f353fe843ebffc595a64195c47ec82756dc94ea84b2092569f93893d20894700f411a86101ff166f0da1cc48845c95bbea48120e1b2feab83e8dcaf795 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | fd2ff11126596f2d50dfc0417239dfbc |
| SHA1 | 9485e6ae3b28dae03482b4435d9c7386d9465138 |
| SHA256 | 7e8cb914fe8d464ca5c8548baeaf6190abde97aa406f735816407836a155449b |
| SHA512 | 04f8540ba4d2a6ac748fd24f99d0c549dac8a5997119afdb6b8f57f8d49bd7f0066688d6696f6ec92b16150374051c56e9ab2398658364dd5e81128505b4957c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5927a3.TMP
| MD5 | f9fcfbc780c8787c73f7decfe36bbf25 |
| SHA1 | 8ddb6725ed00995340403589a76dfdeb91b86f9e |
| SHA256 | 60c57e0274a9f706368b17611d98095d3a50b87d1a4129c0b73a07ee823223c9 |
| SHA512 | e7d357abd05a3b67255b922693121c307fad73f7150fd681c3057cb4d805817499b024256f3c3bd3bb68cd986a415fb48fcdeb73a8e6f26148e4b5efdf4578d5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b5e70cd60eff11f3a2e5f7c562debf70 |
| SHA1 | 2fb0d8326d2399293c44fb43b1b06047d5d673a1 |
| SHA256 | d4aa8502fb4eff5e271224465a35579a0d0b5efbed245a792284d015de02da50 |
| SHA512 | db1c8274ebd87c47a81313b035b7249032ab9d4b677533dbe564fb96149fd4654ade12235a7e4b86cdc6c95eb3ba2dcc107f466bb304c584ea61437602e357d9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 13b29f287e53951db3064af276effd63 |
| SHA1 | b08d3822f12e8c92b0900d1f4e124fb5f02af519 |
| SHA256 | 6e349a2d7de7eeca627fcfc117e3e0f800ed742389686e27a1afd2bbd2c87d96 |
| SHA512 | a02514f2220a011ad6427b6bb3f6b7e2f15804db2a2722ef924e3b393eedbc2d9a8022061499d84d853eca580cfa082f55ace65db608383d466048ab3b9e3590 |
memory/4948-527-0x000000001CD70000-0x000000001CD7C000-memory.dmp
memory/4948-528-0x00000000016B0000-0x00000000016BA000-memory.dmp
memory/4948-530-0x000000001DC30000-0x000000001DF80000-memory.dmp
memory/4948-531-0x0000000001730000-0x000000000173C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
| MD5 | 9648d555b9cadad2eaa261016743c71c |
| SHA1 | 52bc80d436049434025c003c782ac20735dd7ddc |
| SHA256 | ddb3235f37919d2a403670b6a7ba3752dccb7406fb24b4f416f0afc17e013773 |
| SHA512 | 6b8b8b6d1e405eb71391cd6660a5c6e1e32372a1433acbdca1e0a533b76a0a04b78389de8b5ba768fca48f9613fd8a7af1f17b384d6b094291e75f95be3428d5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version
| MD5 | 838a7b32aefb618130392bc7d006aa2e |
| SHA1 | 5159e0f18c9e68f0e75e2239875aa994847b8290 |
| SHA256 | ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa |
| SHA512 | 9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links
| MD5 | 60d026a0f551010950b195c73c571494 |
| SHA1 | 14c7a195c137464ed028d2d173368612350941e9 |
| SHA256 | 4e5cb2e706873687ab349d3d056231c46656c194eaa6f7e06ef5577affbe5d3b |
| SHA512 | 4a2e21aba043f6caba68752769403c51dd064544a87aff7a8a66025b4d09bf21a56f05a0ba3b81a35847427751b9504f6506e8c8efeb7b563f31bf1861765a7c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log
| MD5 | 145fbaef97c0f9e4f6f96e2ff3c2bbd7 |
| SHA1 | 22830ff89af46b65f828df03bbbdf9b189b135aa |
| SHA256 | c3f8a601db5f6d31230249a378bac45d6a0812a1669b35e26e094fcc06aeaf6d |
| SHA512 | 16408d9f735c02b8a224fae5d623c0093646397bf1e14de8eb5633a89305736c8621922ea74b1a75e0c7fbc4570c57462d73785123ca1cfce0085a623641dbaa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG
| MD5 | 00fced86264e22bdab94c05e2e0b6755 |
| SHA1 | f7ee3b2d95fc1a72e03e0aa8f46d89e613795c2f |
| SHA256 | 9c938e228999e1f17803aad0d431859b1016b1c984267b2c02a33f965f28e086 |
| SHA512 | 51f1661926af38068061a89548db711433211fd3b54e8c447c30e7f659053154c0370e257ec5c0b2121b3990a3606fe3786a36c3a2b4faf31f9c3a91ddc85b4c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG
| MD5 | 800e62e1fd33d1eb497f2ae4b0ec4207 |
| SHA1 | 70680a159f8f4e028716392c46fe1d4b879f43ff |
| SHA256 | a8b9254aadd905b8dcdfa18af7d29c9f6a023a3ed714e5a7850f9688d7211dfe |
| SHA512 | 580bdd1508d69b426817d4b1468fa9f2efcde7f4f12af42e325526a0c8b68659b36df9219328e5a94f3a00127953ea5300183e4b47759fcb584037971e46ea8d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons
| MD5 | 960d2552249b9387099a10ed3e4e4bf1 |
| SHA1 | a2e9c73ab688537c79c066542159bf38cb7676db |
| SHA256 | 1200b93ce77aafe271f4477e0d321595a33db7a5f13f6d322134a82ecccc0e10 |
| SHA512 | 5e1af28ff076084bc56e4852007ebc4b6919e225ceb52f6e7e97617db3494fe3e99fda7d0f6fe09b02f9e1ab548f42110aeca36627a6ba0f457875b81d9e65ce |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History
| MD5 | b6858903e698bd254f7cbe150017e3b9 |
| SHA1 | b68b0c3f13d07185db5930cc2297c43c51f24cc3 |
| SHA256 | ce7a877542b671dd3813eb50c255542c08c725dfbd4f064bc5b8eda43b0b940a |
| SHA512 | fbb0de3d51bc97ed522ab27fb29171bb3aa855926ec6e8db83164972edb48752c458b8776a073ab9e4e7e6bce5b23518aa6891fd1a78dfeed777cfbe96f36538 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log
| MD5 | 2e352bc7791cdfeeaf4976b11fcbc2b0 |
| SHA1 | d93dbf31101954ffafd6460bc596f21e151b9031 |
| SHA256 | 747d5fc37113c93fb3cb0e2c3d1e3e361e87f62faa42abef5e8e372ff3203dad |
| SHA512 | ea2664099908f9a73171f5ef1e8da94debe868d46f234a84083eb9a62e87a54d1874fa0eaeadbb805b92138fa28afe194bd32d3b8ce1dc88c7034c564d1d269c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13362349343242881
| MD5 | 0284a9701010fc4d392f1a583a097ec6 |
| SHA1 | 8a85fb0a342551294411e16cefaf08e200acfc73 |
| SHA256 | 562f0016e77d59a0c0655d7201811b6817fa321aed5e6d068ca98c9d4ac6862e |
| SHA512 | f92760ade1318caad37621721b8321633bcb5bd8937ce8a2b1f5f128a8ad3b47fc7bfdb98f009a09609329c789dbec7cce5efd0fffd29e723ede8cb9db2d9c9f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache
| MD5 | 3fa94e1904cba3085db9c2ec794f259a |
| SHA1 | d4b5b612b11f564055f6c173c5911449c5060f57 |
| SHA256 | fa793b3ebb3ef0d9b6a62e177dd5032c0849ff07a0659309678f87ab479a9a94 |
| SHA512 | 5b97f56e5882cc641e7295c8b9323809d0d7dccba55b002f5b544da9e0c178b406d1f2fc00e3bfb86cf380a99f60e177ae964c2e87eea0baaa4719d163e7468d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | de270f852f5fc6b93500d26e8524da67 |
| SHA1 | 111390f84cc132a6c34eee9cd5664f3610179942 |
| SHA256 | 3948b0319644d259f84380ae33cdc1a580e9a005eefdfa2e6ce834310da99956 |
| SHA512 | 74a27acd18bb66b9615dcc022f820ca2467aa3488fc50192455ec8782c1dd5c82a0751212b32928662e837201bdc75ddfb38fc4f235790f25eea33f2d1ae2b78 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG
| MD5 | 287a5c77df2b378d8d57258ea160b0a2 |
| SHA1 | a50fbeeb0b27f28563ceca2839e7f8acb1d78eaa |
| SHA256 | 627f6ce1730764d993bb2ca0fb73d7e45f6f6cb9b4e80e2387777cc8b20e175d |
| SHA512 | 5c8f309b68ed82caf2bea40a6cc2a20f394ec0855624a812601342d130bb433dae7af0ecf5fb1ed72b0027be03b87d635e3ac472201ee6e3d727c1ec1d278b84 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1
| MD5 | c898bd766ed74ac913ad4f8c6c3e5619 |
| SHA1 | 35139ba64cf2a51fac5aa4b0c825b70b2edf420c |
| SHA256 | 9c7f8d79d268e000453d669baf5eb1d56adebe4f6d9ada23839a8012e40e4324 |
| SHA512 | 560762bfc5e92be8fac7b7625db8cef850122215ce0c19d79f9df5fac9c204895c659f9c5a5fea28dfac43c5bb14cc66a16851399b671ffffc2139b2bce286bd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-wal
| MD5 | eb48ae6f3d9a8aac4949df583ea91e00 |
| SHA1 | 0d1d7f0a73fbd0a06fbd30991db3408e8dd79213 |
| SHA256 | 22c6adb864814cb78f2e49586aae626a7367d0935c049ac620af142a211625b2 |
| SHA512 | 9c8153b4618ae0ded35a120d58cc3a314dec0db3f77f03859084025ff9a9492e4eae41bc6a2bdcd8889122497718a1350b1f2461ce873ee529528154172fe132 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies
| MD5 | 92759d331a63ec276337754d18a95f40 |
| SHA1 | 58e94fdaf218caf8bf6ccba4d52a722ab3bd93b5 |
| SHA256 | 9b64c745aa85c0fb14d4e7c04a495add1d70c8e8956790205c07d88fec7fc3ea |
| SHA512 | bb99a795599dcd29fa65130819409beb23306cf36b4a74f099a08109cdabcda02111e6a48cb4e9e231ead5275d0f69ed8c59d668ecf41b2ee09a966e86cfe986 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 3656a3563e4c08e0cdde3811eae3870d |
| SHA1 | 10fa3538ed0ac9d79523dfbf25978c084933cccb |
| SHA256 | bd2df1ff1f30376068c8a17564d9bc1afdcda7fb70751437a20a3e7e462f4d93 |
| SHA512 | 6eaff49af958d73f787cf1be23464f8bedc64b5a2741a9cf10d37311197433cef1ce57d782ed9cca2a9239961282784d81cf423b8c9ec6089f72313528ef4479 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG
| MD5 | 9ff19d8603fc885e7cabf105ba1253fa |
| SHA1 | 352d2a2b750229d320181b759242c742ca64107f |
| SHA256 | 8acdd28910d40ed24c6716709b33a66ada5776802b8c8d9b848b39f40dcd5e85 |
| SHA512 | e35b9bea5942e17e4de90f4b18c8424cad468b64c37f859f8baac971799bbb0f7872c09c6fe63677ecbfa1d8e7b53ff5519c0f5527563c7b178b130caf706098 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log
| MD5 | af8a699cf17ea882e9c2caf820908bed |
| SHA1 | 0de4fa50b04f7ebe9d792d3e06bcd5f690b17d90 |
| SHA256 | 0b58aaef1a73d2a042bb2c479464774356e82353f6fcab9e79af4e659a832cbb |
| SHA512 | b0291e83af97f981a1cb814d5df3ba1b52de519018d519de19617a2d77fb4a3c31aebfb87f28e857d3d98b74baacd5222cff3e6874f6fc0491498a1e5dfaa727 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG
| MD5 | 82f52fc2178c5eca94133dfb0bf0886b |
| SHA1 | 34111e7946efcc2a264d3b250ac990f3ece989bb |
| SHA256 | a00d114ef9a4a873a292bdd7c2ba8d1801cb5930ec00b14e5920a71f5885c03a |
| SHA512 | 803aa09f34403ad0195f26a9c7a2b6602aa7a974b95644a1bedf1b3123897843486c14682475b439eaff83762abc10a0a390c0f7102295a0963a972fd596dd6f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log
| MD5 | fffe172331178595819b2c3e29a22d28 |
| SHA1 | 6895592fdc390b63a8425023ec2ee1afede0c2ae |
| SHA256 | a7cf555d10e30969b9a4af4e78ac537f6db3498b411ca5ef2570e24104d935ee |
| SHA512 | 0e879148a11f585c037884c77fbc8c3f7bc6d0570f488c3a8ca33276ad5834a60021442ae4807c92d4ea30e95f95bcc1b1593334128304fa90e1600356c27ef4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\LOG
| MD5 | c524b0661e40624502a3082089568b63 |
| SHA1 | aa7776616fcd94a14b7023617a252434fa0c286c |
| SHA256 | 3eb7b03f50d3425d8f5d57c50dfe7aa6a44a6198b1b1a06ea59184cdc939bfa1 |
| SHA512 | e8853787e323a7cd8c575bd31ac473aa3d9b66c98a003f1d7d3b18b44085a18f7250f6d411362c0a211daa6c9f187d773e08ca158a937a7d43f1abde986481c8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | aefd77f47fb84fae5ea194496b44c67a |
| SHA1 | dcfbb6a5b8d05662c4858664f81693bb7f803b82 |
| SHA256 | 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611 |
| SHA512 | b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | bf941cc04c3ef5e84fd06c6ed69e194b |
| SHA1 | 8c10abce90cea0c5c8b55c4621a90484a306f92b |
| SHA256 | 1601d19f173d69f785d93ef85dc8cc18bb3b4d3754e122aceb32bbd99ec5bdde |
| SHA512 | 0e83fe165c8b2df0d2fb41efb3884d09e423d29bddfce1f50cc34fa625870ba8e919e3924cf413892f09fafe73a096e246ef0b52c52b762b38e1d66136332c3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b6d0011b97680e6f72297f91519caff0 |
| SHA1 | 93484be42786025fc56fbdbba8450ada0b64d469 |
| SHA256 | d825463b7e34601ebe964f29b527014a7fc6ea427fc2184ec861aeb1059ee3b5 |
| SHA512 | c4114006d27693e9b4ad635552ef82ccdea4a9bb3a181e5fea1f17c398c0ccec1e496951db04e189cc7dd60d7483691585321ca0b9ff5604b4333abbf7547c19 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 2a99ed4188b768d0fe0a4dda9d3199e6 |
| SHA1 | d356bf56e757ce71622675b3b6a5c843a35e4334 |
| SHA256 | 9bd06b91a20223a3537370c2b4b3829a28670e3968045f804a68a14f0ef3f75c |
| SHA512 | a7f182001412be6e6280c5344614ed120aad97484541d01989fb1ee101c7780ed2e4bb6f8700ed2ee960f303372fdab4834331d4db8ab770c611ef4733126c7d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 1d05c44e9dc324169da9838653a8ade0 |
| SHA1 | a5b00c4710b1b63bf772dec890e8e38f19ad9727 |
| SHA256 | 42cf1d6b7622df1207e43495afdf2fad527654c4035570fa288864a184f0207f |
| SHA512 | f9843e6dac752271853e1c79f0cd9dd05746389fcb8ecc5fe4b15c464c8e0fbaf573ed15e7d396a55a7006002866206daa7d69585f7c47b23e71bc6643641994 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | ff8aad2af5ca51ac68cb33777139eaaf |
| SHA1 | ce7fd044118c857016310a88cf12a877bd764991 |
| SHA256 | d9634bff08503faf730a52837985b9cb3fde6de1c73ae345a5b50f5717dda2eb |
| SHA512 | be04c49c5500e80467e6d7a4ab161d2f6d7e70ba8f38c04358198b86800dae6e2c8f1daf9f64600fce90c51d9cb78a6a5183821ebf51e26912bb753a161e6aeb |
memory/4948-837-0x000000001C680000-0x000000001C70E000-memory.dmp
memory/4948-838-0x000000001E350000-0x000000001E3DE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cdjypv.exe
| MD5 | a3aa17dd5d90786ec17e030cf32c004a |
| SHA1 | a72c00ca3bb3ae0cfcdbf8899abb11fbfd802655 |
| SHA256 | c4fe8d5af2c177f6115aa39374aa505dfede45d9fdc347b885552796058d3596 |
| SHA512 | 39b4ea582845f3b374009cf3927475f4dfc5152c17a339f43a257228e7898b9af4581b79eb9bd5f31908d7ef1734e5148c4607742d984ce4b1560a0184ad034d |
memory/4948-857-0x000000001C740000-0x000000001C74C000-memory.dmp
memory/4948-858-0x0000000022520000-0x0000000022A48000-memory.dmp
memory/4948-859-0x000000001C750000-0x000000001C75A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\haljlb.exe
| MD5 | a0913b564f4d451d9b8c5a7e46a3cd82 |
| SHA1 | 15dcddfa133e81a83acb9022c8f6e0b0fe3473f5 |
| SHA256 | 50a4eaf75a68adc21d34abbde392b87d316b12a74d302dc823b2bae80c3679f9 |
| SHA512 | 0f9ff5524c40bac214f9a700a0d4ba381db5f63350323cf43304bf5fc50ede13c60038edeaff9e5a464e3d2c6d99e0fe2f54cee4f591cf9a685acbb3c82cdb50 |
memory/4948-869-0x000000001D640000-0x000000001D67A000-memory.dmp
memory/4948-873-0x000000001D180000-0x000000001D230000-memory.dmp
memory/4948-875-0x000000001D330000-0x000000001D366000-memory.dmp
memory/4948-876-0x000000001BE40000-0x000000001BE4A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jusched.log
| MD5 | 9ce4bd82c86451d0f6223c119c25614b |
| SHA1 | 08396c999da773931eb5ea6f6035a3b9021ebae3 |
| SHA256 | 58088abe6d0d8b703eb33b16d611ee66775ccfc88b7ba88afe689dbf15016f51 |
| SHA512 | b4b88f71e3b8705f7a9181280c9ff6b3721d3c5ccf45ab97702c48ea3e023a49e3b85abb1196740f6e4fb63148422ac2e4887a2ab9eb51b6b368386deafa798e |
C:\Users\Admin\AppData\Local\Temp\MSIFD8.tmp
| MD5 | 67f23a38c85856e8a20e815c548cd424 |
| SHA1 | 16e8959c52f983e83f688f4cce3487364b1ffd10 |
| SHA256 | f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40 |
| SHA512 | 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d |
C:\Config.Msi\e630f3a.rbs
| MD5 | 6b09be2154fb59df7ff87330fd89bc16 |
| SHA1 | 27aa3639d10174f4c9f99fb1836d22cf16484109 |
| SHA256 | 1e35d387795e216258c4568f67abf125f8a535b644a70872877ec6d4718676f8 |
| SHA512 | 73eb5e83563f54602212c9a47c6e9351f16d11428b07203d761b4f946371d6f61b1f45d740ae1652d9af247f5b72c1d3ed5b4ca235902f54d2d53bcd7b823190 |
C:\Config.Msi\e630f3d.rbs
| MD5 | 4071946e932741ec710a3294678bd011 |
| SHA1 | aed5585d994c1c92f78fd408afc5773ec1d96f35 |
| SHA256 | ff02c1e4d397eee3f81a40a6f47d81972690f5c50bac2602fc9f883211b55ae1 |
| SHA512 | 751dd72a252a62ba1538937bb90b4dc4a6041cc42b79014b4a6d6c0a365a067455e4caa21b6ef8358d386428b2c93688f35ac85448fa4fac7dd6a0db60a415f7 |
C:\Config.Msi\e630f40.rbs
| MD5 | 4df1e89716425709f8d30bae5dd061cf |
| SHA1 | e734bbc2cce46dc2a6e59798c0f08b5a9ca912a8 |
| SHA256 | 0213ae648f4beb7d439c5c22e24568c2bf868503a4b4bed70e9b21b4749b4f50 |
| SHA512 | e36aa8aad89f76c9636caec9f3d2212b0ccd827d0ca151726074ea5fedf9dfb11184a8027a9083232880b3ee9a2da78b4b8e40e19223aa039c9baa0fecde5a60 |
C:\Config.Msi\e630f43.rbs
| MD5 | a1eef553264fe6801db9d0ad2be729e0 |
| SHA1 | e4e04f2d89a9c7f104289525852229fba0dc6e00 |
| SHA256 | b7ae06c3a94721c70fe2fce838ab6c341980481acbf683154a6cb148e343ff05 |
| SHA512 | d6462eebd6c74a3280bbf40be6779bd4df1ed82b4a565d1a5307015ba9215b81239fa9259c63c993bbb72a88abf1d71f132892f2765b709b4f784665418f5280 |
C:\Config.Msi\e630f46.rbs
| MD5 | 181adb45235c75e27f203fe64d7be999 |
| SHA1 | a2e73277899ffd8bac5d9b2039c617195dbce4b5 |
| SHA256 | 3be4d121b09404931d4912125247291f5766166c31e8265ac04736c1a3fa7788 |
| SHA512 | c95f24b9465bbc3b8a671ddbe90acf8c9e48b8b8b8ba66e389ca2c6a58d1cb5f7e30414fa56a34b3ccc207dfa92ddb8a86d6bcca3dc4c481c94e971c5f1cdc6a |
C:\Config.Msi\e630f51.rbf
| MD5 | 21438ef4b9ad4fc266b6129a2f60de29 |
| SHA1 | 5eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd |
| SHA256 | 13bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354 |
| SHA512 | 37436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237 |
C:\Users\Admin\AppData\Local\Temp\MSI4914.tmp
| MD5 | 64a261a6056e5d2396e3eb6651134bee |
| SHA1 | 32a34baf051b514f12b3e3733f70e608083500f9 |
| SHA256 | 15c1007015be7356e422050ed6fa39ba836d0dd7fbf1aa7d2b823e6754c442a0 |
| SHA512 | d3f95e0c8b5d76b10b61b0ef1453f8d90af90f97848cad3cb22f73878a3c48ea0132ecc300bfb79d2801500d5390e5962fb86a853695d4f661b9ea9aae6b8be8 |
C:\Config.Msi\e630f54.rbs
| MD5 | 97d87c6edf3ce45693dbda80f483da30 |
| SHA1 | df4af3701cc0de05f56a15967c5909e7426cf048 |
| SHA256 | 7f255b87b207f64ee264c6948031cf38ddabc14ae75a8e6bb535510e5f6cc381 |
| SHA512 | 6fb1c37efd60a548c6ebe1c2e3b8a25fcd8224a748bc023a57dfb718c308e3e21d39833d9a2c8ee4a97d24fe16976dc77646737817b067c67b792b19c24ddee2 |
C:\Users\Admin\AppData\Local\Temp\MSI52F8.tmp
| MD5 | c23d4d5a87e08f8a822ad5a8dbd69592 |
| SHA1 | 317df555bc309dace46ae5c5589bec53ea8f137e |
| SHA256 | 6d149866246e79919bde5a0b45569ea41327c32ee250f37ad8216275a641bb27 |
| SHA512 | fa584655ae241004af44774a1f43508e53e95028ce96b39f8b5c62742f38acdf2b1df8871b468ac70c6043ca0e7ae8241bad2db6bc4f700d78471f12bb809e6b |
C:\Users\Admin\AppData\Local\Temp\MSI54AD.tmp
| MD5 | 1f0af45ebb41a281e1842cf13ec0a936 |
| SHA1 | ed725de3bfb61f9614d76497ce88488925502977 |
| SHA256 | 18c9929344a096d80a051b2513c1c91ca89ba22c9e8d24240faf1566767a9e66 |
| SHA512 | 3c414d6ea6f929d9710ffb9a8dbfa737b36ded9b2cdf8260d6a8a9224ffb005e1dc090d331b9f69b9c7c8871570f437288fcc3c8b51dd619df9975d374085c8c |
C:\Users\Admin\AppData\Local\Temp\MSI57FC.tmp
| MD5 | 0e91605ee2395145d077adb643609085 |
| SHA1 | 303263aa6889013ce889bd4ea0324acdf35f29f2 |
| SHA256 | 5472237b0947d129ab6ad89b71d8e007fd5c4624e97af28cd342919ba0d5f87b |
| SHA512 | 3712c3645be47db804f08ef0f44465d0545cd0d435b4e6310c39966ccb85a801645adb98781b548472b2dfd532dd79520bf3ff98042a5457349f2380b52b45be |
C:\Config.Msi\e630f57.rbs
| MD5 | 3ad86382e83dfe1a850954e03a6cf1c9 |
| SHA1 | b1ec41dac4f5fa3f10a3726c599f4aaae4f4d870 |
| SHA256 | 6f2be413e4a201711814fa889b13885734fdd0a9ab3cf1c06201153c04ace7a2 |
| SHA512 | 2768a5e123efa66571be43181be089962865cdd3cec7fefc01517f4aab62e55e291a529d12c80c31b44e5794e6298c85707cb87e2fe4ac60e6838ac01a7d5b0d |
C:\Windows\Installer\MSI7B88.tmp
| MD5 | ee6243df5ea48d929da4790efeea45c9 |
| SHA1 | 9c21d62d7ffca1c68e615eb57bcd5d4ad3d090db |
| SHA256 | 0503fcf7646daae6e5445d8c5f248384542d2eeab4c7d8ad3cd5a47759759a48 |
| SHA512 | 283c6a7bf2bc0b3c2dced9ea7c763c71b6d68c57da6845985f8faaa9cb7649d945a3be2127bbc1e77be792f925e14cff191c9d6bdf821635d438f985feb7753f |
C:\Config.Msi\e630f5a.rbs
| MD5 | bd7256d74f0192da02fd5feaaccd2c27 |
| SHA1 | f4274e80f0eb49f7ed9cbc6e989ac819d73f0bc4 |
| SHA256 | 2063879695308b38178198c329445f3d253cd6bb18edbe0105a19894d53d72fc |
| SHA512 | 8eb07e280fd24284a9775f8b1b3d2043d27cc6c32624566df666d92d339e4f957b7048be662aec15417bb41e41f630d82a8c1035bacb3267c7e37589980f2826 |
memory/4948-1187-0x000000001BE50000-0x000000001BE5A000-memory.dmp
memory/4948-1199-0x000000001BE70000-0x000000001BE7A000-memory.dmp
memory/4948-1232-0x0000000001790000-0x000000000179A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\External\Components\plds4.dll
| MD5 | ee44d5d780521816c906568a8798ed2f |
| SHA1 | 2da1b06d5de378cbfc7f2614a0f280f59f2b1224 |
| SHA256 | 50b2735318233d6c87b6efccccc23a0e3216d2870c67f2f193cc1c83c7c879fc |
| SHA512 | 634a1cd2baaef29b4fe7c7583c04406bb2ea3a3c93294b31f621652844541e7c549da1a31619f657207327604c261976e15845571ee1efe5416f1b021d361da8 |
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-multibyte-l1-1-0.dll
| MD5 | 35fc66bd813d0f126883e695664e7b83 |
| SHA1 | 2fd63c18cc5dc4defc7ea82f421050e668f68548 |
| SHA256 | 66abf3a1147751c95689f5bc6a259e55281ec3d06d3332dd0ba464effa716735 |
| SHA512 | 65f8397de5c48d3df8ad79baf46c1d3a0761f727e918ae63612ea37d96adf16cc76d70d454a599f37f9ba9b4e2e38ebc845df4c74fc1e1131720fd0dcb881431 |
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\msvcp140.dll
| MD5 | 109f0f02fd37c84bfc7508d4227d7ed5 |
| SHA1 | ef7420141bb15ac334d3964082361a460bfdb975 |
| SHA256 | 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4 |
| SHA512 | 46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39 |
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\softokn3.dll
| MD5 | 1b304dad157edc24e397629c0b688a3e |
| SHA1 | ae151af384675125dfbdc96147094cff7179b7da |
| SHA256 | 8f0c9ac7134773d11d402e49daa90958fe00205e83a7389f7a58da03892d20cb |
| SHA512 | 2dc625dbdf2aae4ade600cca688eb5280200e8d7c2dfc359590435afe0926b3a7446cc56a66023ee834366132a68ae68da51a5079e4f107201e2050f5c5512ad |
C:\Users\Admin\AppData\Local\Temp\settings.db
| MD5 | 56b941f65d270f2bf397be196fcf4406 |
| SHA1 | 244f2e964da92f7ef7f809e5ce0b3191aeab084a |
| SHA256 | 00c020ba1cce022364976f164c575993cb3b811c61b5b4e05a8a0c3d1b560c0c |
| SHA512 | 52ad8c7ed497a5b8eed565b3abcbf544841f3c8c9ec3ca8f686846a2afd15ac4ac8b16abf1cb14aeca1a2fb31f3086ad17206ec4af28e77bae600dca15e8deab |
C:\Users\Admin\AppData\Local\Temp\License.XenArmor
| MD5 | 774a9a7b72f7ed97905076523bdfe603 |
| SHA1 | 946355308d2224694e0957f4ebf6cdba58327370 |
| SHA256 | 76e56835b1ac5d7a8409b7333826a2353401cf67f3bd95c733adc6aa8d9fec81 |
| SHA512 | c5c77c6827c72901494b3a368593cb9a990451664b082761294a845c0cd9441d37e5e9ac0e82155cb4d97f29507ffc8e26d6ff74009666c3075578aa18b28675 |
C:\Users\Admin\AppData\Local\Temp\XenManager.dll
| MD5 | 7a5c53a889c4bf3f773f90b85af5449e |
| SHA1 | 25b2928c310b3068b629e9dca38c7f10f6adc5b6 |
| SHA256 | baa9c3a0d0524263c4f848056b3f1da3b4bb913162362cbcabe77ce76a39870c |
| SHA512 | f5943687d7e098790581bf56ac6fec3b7e9b83d0e29301077a8bc48768c5a0e9f54f53d926f9847885f6035a2b31e456e4e45ccf1c70be27229c46e79876e2ed |
C:\Users\Admin\AppData\Local\Temp\All-In-One.exe
| MD5 | a48e3197ab0f64c4684f0828f742165c |
| SHA1 | f935c3d6f9601c795f2211e34b3778fad14442b4 |
| SHA256 | baecc747370a4c396ef5403a3a2b286465d8fe4677bf1bfd23b8164ef5c22bbb |
| SHA512 | e0b0b73c39850a30aac89f84f721c79f863612f596d6ff3df0860a9faf743a81364656773c99708e9c0656c74b6a278b6bf7e648f7ff1b9080f9a21e10515a59 |
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\nss3.dll
| MD5 | fc57d044bfd635997415c5f655b5fffa |
| SHA1 | 1b5162443d985648ef64e4aab42089ad4c25f856 |
| SHA256 | 17f8c55eba797bbc80c8c32ca1a3a7588415984386be56f4b4cdefd4176fb4c3 |
| SHA512 | f5a944230000730bc0aad10e6607e3389d9d82a0a4ab1b72a19d32e94e8572789d46fb4acd75ad48f17e2bbc27389d432086696f2ccc899850ff9177d6823efb |
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\vcruntime140.dll
| MD5 | 7587bf9cb4147022cd5681b015183046 |
| SHA1 | f2106306a8f6f0da5afb7fc765cfa0757ad5a628 |
| SHA256 | c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d |
| SHA512 | 0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f |
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\mozglue.dll
| MD5 | 591533ca4655646981f759d95f75ae3d |
| SHA1 | b4a02f18e505a1273f7090a9d246bc953a2cb792 |
| SHA256 | 4434f4223d24fb6e2f5840dd6c1eedef2875e11abe24e4b0e9bc1507f8f6fd47 |
| SHA512 | 915b124ad595ee78feab8f3c9be7e80155445e58ed4c88b89665df5fb7e0a04e973374a01f97bb67aaa733a8ce2e91a9f92605ec96251906e0fb2750a719b579 |
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\freebl3.dll
| MD5 | 04a2ba08eb17206b7426cb941f39250b |
| SHA1 | 731ac2b533724d9f540759d84b3e36910278edba |
| SHA256 | 8e5110ce03826f680f30013985be49ebd8fc672de113fc1d9a566eced149b8c4 |
| SHA512 | e6e90b4becf472b2e8f716dbb962cd7de61676fcce342c735fccdc01268b5a221139bc9be0e0c9722e9978aefaae79c10bc49c43392aa05dd12244b3147aeffc |
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-utility-l1-1-0.dll
| MD5 | b52a0ca52c9c207874639b62b6082242 |
| SHA1 | 6fb845d6a82102ff74bd35f42a2844d8c450413b |
| SHA256 | a1d1d6b0cb0a8421d7c0d1297c4c389c95514493cd0a386b49dc517ac1b9a2b0 |
| SHA512 | 18834d89376d703bd461edf7738eb723ad8d54cb92acc9b6f10cbb55d63db22c2a0f2f3067fe2cc6feb775db397030606608ff791a46bf048016a1333028d0a4 |
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-time-l1-1-0.dll
| MD5 | 849f2c3ebf1fcba33d16153692d5810f |
| SHA1 | 1f8eda52d31512ebfdd546be60990b95c8e28bfb |
| SHA256 | 69885fd581641b4a680846f93c2dd21e5dd8e3ba37409783bc5b3160a919cb5d |
| SHA512 | 44dc4200a653363c9a1cb2bdd3da5f371f7d1fb644d1ce2ff5fe57d939b35130ac8ae27a3f07b82b3428233f07f974628027b0e6b6f70f7b2a8d259be95222f5 |
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-string-l1-1-0.dll
| MD5 | 404604cd100a1e60dfdaf6ecf5ba14c0 |
| SHA1 | 58469835ab4b916927b3cabf54aee4f380ff6748 |
| SHA256 | 73cc56f20268bfb329ccd891822e2e70dd70fe21fc7101deb3fa30c34a08450c |
| SHA512 | da024ccb50d4a2a5355b7712ba896df850cee57aa4ada33aad0bae6960bcd1e5e3cee9488371ab6e19a2073508fbb3f0b257382713a31bc0947a4bf1f7a20be4 |
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-stdio-l1-1-0.dll
| MD5 | fefb98394cb9ef4368da798deab00e21 |
| SHA1 | 316d86926b558c9f3f6133739c1a8477b9e60740 |
| SHA256 | b1e702b840aebe2e9244cd41512d158a43e6e9516cd2015a84eb962fa3ff0df7 |
| SHA512 | 57476fe9b546e4cafb1ef4fd1cbd757385ba2d445d1785987afb46298acbe4b05266a0c4325868bc4245c2f41e7e2553585bfb5c70910e687f57dac6a8e911e8 |
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-runtime-l1-1-0.dll
| MD5 | 41a348f9bedc8681fb30fa78e45edb24 |
| SHA1 | 66e76c0574a549f293323dd6f863a8a5b54f3f9b |
| SHA256 | c9bbc07a033bab6a828ecc30648b501121586f6f53346b1cd0649d7b648ea60b |
| SHA512 | 8c2cb53ccf9719de87ee65ed2e1947e266ec7e8343246def6429c6df0dc514079f5171acd1aa637276256c607f1063144494b992d4635b01e09ddea6f5eef204 |
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-math-l1-1-0.dll
| MD5 | 8b0ba750e7b15300482ce6c961a932f0 |
| SHA1 | 71a2f5d76d23e48cef8f258eaad63e586cfc0e19 |
| SHA256 | bece7bab83a5d0ec5c35f0841cbbf413e01ac878550fbdb34816ed55185dcfed |
| SHA512 | fb646cdcdb462a347ed843312418f037f3212b2481f3897a16c22446824149ee96eb4a4b47a903ca27b1f4d7a352605d4930df73092c380e3d4d77ce4e972c5a |
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-locale-l1-1-0.dll
| MD5 | a2f2258c32e3ba9abf9e9e38ef7da8c9 |
| SHA1 | 116846ca871114b7c54148ab2d968f364da6142f |
| SHA256 | 565a2eec5449eeeed68b430f2e9b92507f979174f9c9a71d0c36d58b96051c33 |
| SHA512 | e98cbc8d958e604effa614a3964b3d66b6fc646bdca9aa679ea5e4eb92ec0497b91485a40742f3471f4ff10de83122331699edc56a50f06ae86f21fad70953fe |
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-heap-l1-1-0.dll
| MD5 | 93d3da06bf894f4fa21007bee06b5e7d |
| SHA1 | 1e47230a7ebcfaf643087a1929a385e0d554ad15 |
| SHA256 | f5cf623ba14b017af4aec6c15eee446c647ab6d2a5dee9d6975adc69994a113d |
| SHA512 | 72bd6d46a464de74a8dac4c346c52d068116910587b1c7b97978df888925216958ce77be1ae049c3dccf5bf3fffb21bc41a0ac329622bc9bbc190df63abb25c6 |
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-filesystem-l1-1-0.dll
| MD5 | aec2268601470050e62cb8066dd41a59 |
| SHA1 | 363ed259905442c4e3b89901bfd8a43b96bf25e4 |
| SHA256 | 7633774effe7c0add6752ffe90104d633fc8262c87871d096c2fc07c20018ed2 |
| SHA512 | 0c14d160bfa3ac52c35ff2f2813b85f8212c5f3afbcfe71a60ccc2b9e61e51736f0bf37ca1f9975b28968790ea62ed5924fae4654182f67114bd20d8466c4b8f |
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-environment-l1-1-0.dll
| MD5 | ac290dad7cb4ca2d93516580452eda1c |
| SHA1 | fa949453557d0049d723f9615e4f390010520eda |
| SHA256 | c0d75d1887c32a1b1006b3cffc29df84a0d73c435cdcb404b6964be176a61382 |
| SHA512 | b5e2b9f5a9dd8a482169c7fc05f018ad8fe6ae27cb6540e67679272698bfca24b2ca5a377fa61897f328b3deac10237cafbd73bc965bf9055765923aba9478f8 |
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-convert-l1-1-0.dll
| MD5 | 72e28c902cd947f9a3425b19ac5a64bd |
| SHA1 | 9b97f7a43d43cb0f1b87fc75fef7d9eeea11e6f7 |
| SHA256 | 3cc1377d495260c380e8d225e5ee889cbb2ed22e79862d4278cfa898e58e44d1 |
| SHA512 | 58ab6fedce2f8ee0970894273886cb20b10d92979b21cda97ae0c41d0676cc0cd90691c58b223bce5f338e0718d1716e6ce59a106901fe9706f85c3acf7855ff |
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-conio-l1-1-0_not.dll
| MD5 | 6ea692f862bdeb446e649e4b2893e36f |
| SHA1 | 84fceae03d28ff1907048acee7eae7e45baaf2bd |
| SHA256 | 9ca21763c528584bdb4efebe914faaf792c9d7360677c87e93bd7ba7bb4367f2 |
| SHA512 | 9661c135f50000e0018b3e5c119515cfe977b2f5f88b0f5715e29df10517b196c81694d074398c99a572a971ec843b3676d6a831714ab632645ed25959d5e3e7 |
C:\Users\Admin\AppData\Local\Temp\External\Components\softokn3.dll
| MD5 | e846285b19405b11c8f19c1ed0a57292 |
| SHA1 | 2c20cf37394be48770cd6d396878a3ca70066fd0 |
| SHA256 | 251f0094b6b6537df3d3ce7c2663726616f06cfb9b6de90efabd67de2179a477 |
| SHA512 | b622ff07ae2f77e886a93987a9a922e80032e9041ed41503f0e38abb8c344eb922d154ade29e52454d0a1ad31596c4085f4bd942e4412af9f0698183acd75db7 |
C:\Users\Admin\AppData\Local\Temp\External\Components\plc4.dll
| MD5 | c73ec58b42e66443fafc03f3a84dcef9 |
| SHA1 | 5e91f467fe853da2c437f887162bccc6fd9d9dbe |
| SHA256 | 2dc0171b83c406db6ec9389b438828246b282862d2b8bdf2f5b75aec932a69f7 |
| SHA512 | 6318e831d8f38525e2e49b5a1661440cd8b1f3d2afc6813bb862c21d88d213c4675a8ec2a413b14fbdca896c63b65a7da6ec9595893b352ade8979e7e86a7fcf |
C:\Users\Admin\AppData\Local\Temp\External\Components\nss3.dll
| MD5 | 7ddbd64d87c94fd0b5914688093dd5c2 |
| SHA1 | d49d1f79efae8a5f58e6f713e43360117589efeb |
| SHA256 | 769703fb1ba6c95fb6c889e8a9baaea309e62d0f3ca444d01cc6b495c0f722d1 |
| SHA512 | 60eaad58c3c4894f1673723eb28ddb42b681ff7aafe7a29ff8bf87a2da6595c16d1f8449096accdb89bd6cda6454eb90470e71dde7c5bd16abd0f80e115cfa2d |
C:\Users\Admin\AppData\Local\Temp\External\Components\nspr4.dll
| MD5 | 72414dfb0b112c664d2c8d1215674e09 |
| SHA1 | 50a1e61309741e92fe3931d8eb606f8ada582c0a |
| SHA256 | 69e73fea2210adc2ae0837ac98b46980a09fe91c07f181a28fda195e2b9e6b71 |
| SHA512 | 41428624573b4a191b33657ed9ad760b500c5640f3d62b758869a17857edc68f90bc10d7a5e720029519c0d49b5ca0fa8579743e80b200ef331e41efde1dc8c9 |
memory/4948-1233-0x00000000231E0000-0x00000000236B4000-memory.dmp