Malware Analysis Report

2025-04-13 23:34

Sample ID 240730-z5vl5szalj
Target Injectorka.exe
SHA256 272f68e5e473b2b091e97ee249a7a95aedef51070dcaf94211e573771477a672
Tags
erbaev njrat discovery evasion persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

272f68e5e473b2b091e97ee249a7a95aedef51070dcaf94211e573771477a672

Threat Level: Known bad

The file Injectorka.exe was found to be: Known bad.

Malicious Activity Summary

erbaev njrat discovery evasion persistence privilege_escalation trojan

njRAT/Bladabindi

Njrat family

Modifies Windows Firewall

Disables Task Manager via registry modification

Drops startup file

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Drops file in Program Files directory

Event Triggered Execution: Netsh Helper DLL

Browser Information Discovery

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-30 21:18

Signatures

Njrat family

njrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-30 21:18

Reported

2024-07-30 21:21

Platform

win7-20240729-en

Max time kernel

150s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Injectorka.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Disables Task Manager via registry modification

evasion

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Roaming\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Roaming\server.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\007c897a11747d51de02720e8e1c37d9Windows Update.exe C:\Users\Admin\AppData\Roaming\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\007c897a11747d51de02720e8e1c37d9Windows Update.exe C:\Users\Admin\AppData\Roaming\server.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Users\Admin\AppData\Roaming\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Users\Admin\AppData\Roaming\server.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Injectorka.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Injectorka.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 2.tcp.eu.ngrok.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Roaming\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Roaming\server.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Explower.exe C:\Users\Admin\AppData\Roaming\server.exe N/A
File opened for modification C:\Program Files (x86)\Explower.exe C:\Users\Admin\AppData\Roaming\server.exe N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Injectorka.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1820 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\Injectorka.exe C:\Users\Admin\AppData\Roaming\server.exe
PID 1820 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\Injectorka.exe C:\Users\Admin\AppData\Roaming\server.exe
PID 1820 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\Injectorka.exe C:\Users\Admin\AppData\Roaming\server.exe
PID 1820 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\Injectorka.exe C:\Users\Admin\AppData\Roaming\server.exe
PID 2880 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2880 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2880 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2880 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2880 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2880 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2880 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2880 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2880 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2880 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2880 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2880 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Injectorka.exe

"C:\Users\Admin\AppData\Local\Temp\Injectorka.exe"

C:\Users\Admin\AppData\Roaming\server.exe

"C:\Users\Admin\AppData\Roaming\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.tcp.eu.ngrok.io udp
DE 18.157.68.73:14407 2.tcp.eu.ngrok.io tcp

Files

memory/1820-0-0x0000000074821000-0x0000000074822000-memory.dmp

memory/1820-1-0x0000000074820000-0x0000000074DCB000-memory.dmp

memory/1820-2-0x0000000074820000-0x0000000074DCB000-memory.dmp

\Users\Admin\AppData\Roaming\server.exe

MD5 c40c09bf0ce0defbe50f123e8d6a6174
SHA1 d39b7893f4ec53f38e3d05051097fb6cfee2ff7f
SHA256 272f68e5e473b2b091e97ee249a7a95aedef51070dcaf94211e573771477a672
SHA512 8f5a3b47ae47e0be43ad2925adc36b661c75f64bec2b3e797fc744925cdc186a1dda85ba2907e5a621f0c61a47662e1d3874ee8b3f7c8b31d79ba6ed3af069c4

memory/1820-14-0x0000000074820000-0x0000000074DCB000-memory.dmp

memory/2880-16-0x0000000074820000-0x0000000074DCB000-memory.dmp

memory/2880-15-0x0000000074820000-0x0000000074DCB000-memory.dmp

memory/2880-17-0x0000000074820000-0x0000000074DCB000-memory.dmp

C:\Users\Admin\AppData\Roaming\app

MD5 b66e20886f9675fe4dbf430ea2d0bf8d
SHA1 2e676da72201e6e4482e00b300511900c6aee5a0
SHA256 899a421c56c18058cbdd16dd7fb313a57d36c1189ca0f442070ed01d17241414
SHA512 f431616522f775de27ccde420f0de6f8b3477fbe97cfd8001864b8289a570916a6dd32c84fcf8af6083d8c1b47c61aa5c73ed1e7cc75213d3f24bd94a93cb870

memory/2880-44-0x0000000074820000-0x0000000074DCB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-30 21:18

Reported

2024-07-30 21:21

Platform

win10v2004-20240730-en

Max time kernel

134s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Injectorka.exe"

Signatures

Disables Task Manager via registry modification

evasion

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-857544305-989156968-2929034274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Injectorka.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Roaming\server.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\007c897a11747d51de02720e8e1c37d9Windows Update.exe C:\Users\Admin\AppData\Roaming\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\007c897a11747d51de02720e8e1c37d9Windows Update.exe C:\Users\Admin\AppData\Roaming\server.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Users\Admin\AppData\Roaming\server.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe C:\Users\Admin\AppData\Roaming\server.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe C:\Users\Admin\AppData\Roaming\server.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 2.tcp.eu.ngrok.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Roaming\server.exe N/A
File opened for modification C:\Windows\SysWOW64\Explower.exe C:\Users\Admin\AppData\Roaming\server.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Explower.exe C:\Users\Admin\AppData\Roaming\server.exe N/A
File created C:\Program Files (x86)\Explower.exe C:\Users\Admin\AppData\Roaming\server.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Injectorka.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\server.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\server.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1932 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\Injectorka.exe C:\Users\Admin\AppData\Roaming\server.exe
PID 1932 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\Injectorka.exe C:\Users\Admin\AppData\Roaming\server.exe
PID 1932 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\Injectorka.exe C:\Users\Admin\AppData\Roaming\server.exe
PID 2644 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2644 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2644 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2644 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2644 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2644 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2644 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2644 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2644 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2644 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2644 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Roaming\server.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 4244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 4220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 4220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Injectorka.exe

"C:\Users\Admin\AppData\Local\Temp\Injectorka.exe"

C:\Users\Admin\AppData\Roaming\server.exe

"C:\Users\Admin\AppData\Roaming\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=UIFyFyJqHtM

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffde1bd46f8,0x7ffde1bd4708,0x7ffde1bd4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,13989295551505421275,5365402853153744053,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,13989295551505421275,5365402853153744053,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2528 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,13989295551505421275,5365402853153744053,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13989295551505421275,5365402853153744053,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13989295551505421275,5365402853153744053,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13989295551505421275,5365402853153744053,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13989295551505421275,5365402853153744053,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1936,13989295551505421275,5365402853153744053,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4872 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x42c 0x300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13989295551505421275,5365402853153744053,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,13989295551505421275,5365402853153744053,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,13989295551505421275,5365402853153744053,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,13989295551505421275,5365402853153744053,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 2.tcp.eu.ngrok.io udp
DE 3.127.138.57:14407 2.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 57.138.127.3.in-addr.arpa udp
US 8.8.8.8:53 24.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
FR 172.217.18.206:443 www.youtube.com tcp
FR 172.217.18.206:443 www.youtube.com udp
US 8.8.8.8:53 i.ytimg.com udp
US 8.8.8.8:53 rr5---sn-aigzrnze.googlevideo.com udp
US 8.8.8.8:53 206.18.217.172.in-addr.arpa udp
FR 142.250.179.118:443 i.ytimg.com tcp
GB 74.125.175.234:443 rr5---sn-aigzrnze.googlevideo.com tcp
GB 74.125.175.234:443 rr5---sn-aigzrnze.googlevideo.com tcp
FR 142.250.179.118:443 i.ytimg.com udp
US 8.8.8.8:53 234.75.250.142.in-addr.arpa udp
US 8.8.8.8:53 234.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 118.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
IE 74.125.193.84:443 accounts.google.com tcp
IE 74.125.193.84:443 accounts.google.com udp
US 8.8.8.8:53 84.193.125.74.in-addr.arpa udp
US 8.8.8.8:53 rr3---sn-hgn7yn7s.googlevideo.com udp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
FR 74.125.11.200:443 rr3---sn-hgn7yn7s.googlevideo.com udp
FR 172.217.18.202:443 jnn-pa.googleapis.com tcp
FR 172.217.18.202:443 jnn-pa.googleapis.com udp
US 8.8.8.8:53 200.11.125.74.in-addr.arpa udp
US 8.8.8.8:53 67.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 202.18.217.172.in-addr.arpa udp
US 8.8.8.8:53 yt3.ggpht.com udp
FR 216.58.213.65:443 yt3.ggpht.com tcp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.196:443 www.google.com tcp
US 8.8.8.8:53 65.213.58.216.in-addr.arpa udp
FR 142.250.201.174:443 play.google.com udp
US 8.8.8.8:53 196.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 174.201.250.142.in-addr.arpa udp
US 8.8.8.8:53 youtube.com udp
FR 142.250.74.238:443 youtube.com tcp
US 8.8.8.8:53 238.74.250.142.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
FR 216.58.213.65:443 yt3.ggpht.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 74.125.175.234:443 rr5---sn-aigzrnze.googlevideo.com udp
US 8.8.8.8:53 rr3---sn-q4fl6n6y.googlevideo.com udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
FR 216.58.214.66:443 googleads.g.doubleclick.net tcp
US 173.194.140.168:443 rr3---sn-q4fl6n6y.googlevideo.com udp
FR 216.58.214.66:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 static.doubleclick.net udp
FR 142.250.74.230:443 static.doubleclick.net tcp
US 8.8.8.8:53 168.140.194.173.in-addr.arpa udp
US 8.8.8.8:53 66.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 230.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 lh3.googleusercontent.com udp
FR 142.250.179.65:443 lh3.googleusercontent.com tcp
US 8.8.8.8:53 65.179.250.142.in-addr.arpa udp
FR 142.250.74.238:443 youtube.com udp
US 8.8.8.8:53 support.google.com udp
FR 142.250.179.78:443 support.google.com tcp
FR 142.250.179.78:443 support.google.com tcp
US 8.8.8.8:53 78.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 storage.googleapis.com udp
FR 142.250.74.251:443 storage.googleapis.com tcp
US 8.8.8.8:53 238.75.250.142.in-addr.arpa udp
US 8.8.8.8:53 251.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 168.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 apis.google.com udp
US 8.8.8.8:53 region1.google-analytics.com udp
FR 142.250.201.174:443 play.google.com udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
FR 172.217.20.196:443 www.google.com udp
US 216.239.32.36:443 region1.google-analytics.com tcp
FR 142.250.179.78:443 apis.google.com udp
US 8.8.8.8:53 36.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 rr5---sn-ntqe6nel.googlevideo.com udp
AU 74.125.109.138:443 rr5---sn-ntqe6nel.googlevideo.com udp
AU 74.125.109.138:443 rr5---sn-ntqe6nel.googlevideo.com tcp
AU 74.125.109.138:443 rr5---sn-ntqe6nel.googlevideo.com tcp
US 8.8.8.8:53 138.109.125.74.in-addr.arpa udp

Files

memory/1932-0-0x0000000074882000-0x0000000074883000-memory.dmp

memory/1932-1-0x0000000074880000-0x0000000074E31000-memory.dmp

memory/1932-2-0x0000000074880000-0x0000000074E31000-memory.dmp

C:\Users\Admin\AppData\Roaming\server.exe

MD5 c40c09bf0ce0defbe50f123e8d6a6174
SHA1 d39b7893f4ec53f38e3d05051097fb6cfee2ff7f
SHA256 272f68e5e473b2b091e97ee249a7a95aedef51070dcaf94211e573771477a672
SHA512 8f5a3b47ae47e0be43ad2925adc36b661c75f64bec2b3e797fc744925cdc186a1dda85ba2907e5a621f0c61a47662e1d3874ee8b3f7c8b31d79ba6ed3af069c4

memory/2644-14-0x0000000074880000-0x0000000074E31000-memory.dmp

memory/1932-13-0x0000000074880000-0x0000000074E31000-memory.dmp

memory/2644-15-0x0000000074880000-0x0000000074E31000-memory.dmp

C:\Users\Admin\AppData\Roaming\app

MD5 b66e20886f9675fe4dbf430ea2d0bf8d
SHA1 2e676da72201e6e4482e00b300511900c6aee5a0
SHA256 899a421c56c18058cbdd16dd7fb313a57d36c1189ca0f442070ed01d17241414
SHA512 f431616522f775de27ccde420f0de6f8b3477fbe97cfd8001864b8289a570916a6dd32c84fcf8af6083d8c1b47c61aa5c73ed1e7cc75213d3f24bd94a93cb870

memory/2644-42-0x0000000074880000-0x0000000074E31000-memory.dmp

memory/2644-43-0x0000000074880000-0x0000000074E31000-memory.dmp

memory/2644-44-0x0000000074880000-0x0000000074E31000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 81e22c2898ac78c14a840076a8446b9d
SHA1 ff5b7cca3ff2c4e77e6330e2c5e2b62bb56e9fe6
SHA256 a5e570fc8d3a52027db48adf1301fe8dffc500a4bef04d0d6bff15fff78ade8d
SHA512 19381615be8f53ccae56a21c29c314c3247ac78fd3cf838f52ca98757b54f945f0d178cfb44ea5ad42fc68b3d3e6e7ce4e4f40eb69f791fa5132f591c62388e6

\??\pipe\LOCAL\crashpad_5016_UIWSBKIQYUFKPCOC

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8d8ccfa6a8b1b15db876b848b8fdc102
SHA1 dc7d92c35e9c84d8d78ac0aedc926214cee68135
SHA256 b48f98046030e23b843422251481c3f19cfa0cf71fb36a8ff89dfcb152761f86
SHA512 6ae61b6cf236082b9930686ad2650c3ce3fa337550363e0858062dbb399093b0ac6bbca3d4c40101e222ce764fa4fb704bfc591e6d5b0a6c165f170cd6c9d5b8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b9b41a991f803b58f0fbf350e5eabd6b
SHA1 f47813ca955f8e7120c68323e0b337e75dd832ac
SHA256 4306d050ca8e3e8e4d9d75fd1b88918bd391e1e0f351b391d4258f3a6a13a094
SHA512 f684d48da7e1e0eb94fbc5967917b8a8f8bceb2264271a090c690abd6839c1b5f707e2cc579d6b0f88a4d2a9e57467d859caa113e974dbf199ac84c67acbede5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 b797fbcb2f3c50a2eadc1cf0a6fb3553
SHA1 b2252f3d27f95d94e8381e39735b8dad8d0c32a6
SHA256 0a9923a21b2611f5e995376e16074c12bdb8282c1d19b1e26d719ca49977c835
SHA512 8c51d0a68e2f36757ea9aa3aa929c7f3e46cc5e5ecf1e1652c3378974bea3023190f0f12f7c0b97e9b3120363affd93977434851b23ece144e88bad552ea46ca

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 c61a95f8ef949b7b8e4b2c49f6a36724
SHA1 5f296b28e2eaab9ae1b8947aac493eddf0421789
SHA256 80a18fc00290aaa8b31e80b1385d989c66241b4219f3acbb04c2d7c33c71673c
SHA512 f719d3204da98578c6e55566af24e7cd1de6e303df1dad915be40cb0f5523109a50b78ead20e396e069321c704c4d0b54e7a99e6446ce1f0903122cbb3125265

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 b9d95124b72175c1705a2d47ba0e146d
SHA1 d1322ee7cfe2968d99bb17e8074b6a2a186ebe5c
SHA256 6d5c7c3bf5db772f1a946f1615b1c2c5d4827ae3200eb769707ef6436507d2f8
SHA512 1bc7354270ede529fe5eeb8bce091a249ed108041e9020b19d0ded967120d84622d4390465857740906696a8abc5e465d4766d0829447027bf94293d2dba7732

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 637a33c085ac224e84443c66f5315d32
SHA1 cd4ea2329fb70d8efa8b3a77a3ab1aa61c37a2a0
SHA256 e3ed753b002510540696f9eebf3231346c9d4ab83c8b837ef4f379935a60d7fb
SHA512 f4b786c819b42a8c216192bcb550294d24304e9e84672311ae9e5f47b2069a93ed7c4f206cdf254c3f18f8002192772b578da0ad80f5dbc6a8ed6de59bfe3520

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a968ef63dcae9fa8e8f8f5fcb5f7f920
SHA1 28176fa4cd6b656444d1a7e9eacd1be267b0ff44
SHA256 fac91e15b940ef44a43f5dbfb0389ac19c93923d022ae0c11be7a4aeeb713add
SHA512 bc9b1ecfffaa8c7fb3b21bd988bf450f55fd19578eff06abd2e5b1cc890c5e931dedc5793527ad0836a96bbeaadb01791b001c2c14c8f7491bfcfe66a9bc9d40

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\ceeaa2a0-c106-41a2-8bd8-e704f1c221f3\index-dir\the-real-index

MD5 b21b0101f029c4c14013fb9ec29ebd9b
SHA1 39042d72533cf22ffb24412107a0a16b8acaebe6
SHA256 414862c38436289210dd90d9c6310d82aba76d55c1b4826f3a429401c570191e
SHA512 4ae571efea7bc9bfc0c87c65620a861beed081ecca68fe4cbe8bf2f4c4d5d25a8e8386ac88333e6c23f4611f0a72a4017a80cbf49079d40b5b2e165a71766f10

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\ceeaa2a0-c106-41a2-8bd8-e704f1c221f3\index-dir\the-real-index~RFe59dd66.TMP

MD5 ef8291de7c86d337087fc31c7cd9e8b1
SHA1 0eb29bd9d9dc3f56c802faf86e55ddb9baf4ab3a
SHA256 9d472374d0ff25c444189e63b27d3d2d6307c9560f0e62195d584bb52eaede08
SHA512 c6ad040b5ef745961aef411a5c0cea838f07cb24c2a352227c47d3a322143ac9e5181c48cd2e9b32b393173c62ab30968d06f18b3ee31afef46db7a2a9ed1dc7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 1b0da7633c83071b95fe87ecd777d077
SHA1 43ef40e4e3cafee77b1aaf471489a4e0bb853b0d
SHA256 8c8c6bbc96de3274eece46b16c80e161e6f821ae81bb13a1e508fee73a289b26
SHA512 08cac4b1568cf8c551bec4d79150bdb2077f4521ac7798f47b2a5433e77d4bb8a7f3fa0bc0b83dc1bb29724d9897cd068154ea83f59cf6af0fe13931acb73fd6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 2156eef8fa831665d49722ecd0d4f54f
SHA1 53a655c9b54621dd6048f29e3c6cfb5ca14fbb1c
SHA256 50a93f70572ff80a47471be12314df837487acd4ad573ab9908c9cf5cce8515f
SHA512 632684d220ecaf789f10ae9504018991ae5b537713589e90eb4b230db3dc7a7620b21ba8bcc9f97a3eef6f070dd027ff7ca631a4b3e5deda6615f7014056bc54

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\25e17d27-898d-46d7-9e34-efeb9bb83834\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 e216e4a8b655630490b8aa8706ac6218
SHA1 242cc3169e9078bcf0e5e1e053b135a65d4a6c9d
SHA256 dd321dbfd891dbaf6a4fff0c989b419ba01067f8657c445cf7b086a1d1ef43df
SHA512 2a95db3fe10b9f0a21bc95fa3fc90bca446fefb8c032ec7ef2762bb46ee727127af8a4e705e51535917b049351fc84e6d61fcf0423cdddcca813e9485ce541b8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

MD5 f3b372b33647e99452cfe59525a6b19b
SHA1 2529e0eb09e221dadef7b407882341dd987f5c5d
SHA256 1bd45c070a76f8d10d0908fb5b4d74df57c98699124dc95502183626064eba8c
SHA512 5516a59719b4f044bf2d78a8e07783316216bf60e827b7da102e8f6b0c71ce58ab49ae45dc6d36ea156b728f3cf2a0c7b80f9dcd93b4325b8833350836b8ce7a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

MD5 124edd00544919be214b12cd867575f9
SHA1 1cd89f070fb7f27082951746082b34b7a109c383
SHA256 3bbfc48f6134b705cedaf7782fb1855a0a58fb1442bf6cc3867c2ef2e0359ec6
SHA512 d5109f9d5f05f5bf7321313ba34fec2d046b4a8f618ded4db3fb4549905992fdd74c8d19f1f8aa516c99f49714a58a9de983903e1b1b48f5bf12f585f34c9b63

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

MD5 38cc0e5978d24a8b6874aff769786eef
SHA1 145261c75b77c0f20b59a0fd242f24a530798fc3
SHA256 46be812f587d3cc96cac9aef9b289ac0403384d7786aed7ac6c268800b78257c
SHA512 edbf1443567da91636d4922a0733de127f5420fe1a41d2d5e44d8dba277d1089c42fa0f09cac380c0018571f72ca1623d037666e6acd99bd326da21e7eb0445d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 29c50e4996349e885aa8844b70947d6a
SHA1 73314556fa8e024ff4071e03ce620ddde9113826
SHA256 9d5972be87ebb24bdde3843dcdd9c508b187b5e3e702002a2fcd63e50cc819f8
SHA512 6bd7e9bb8ab9e2f8450dfa5d3992af5759cbdbbd35468caf7e8f5f1d67efc98109e5f6a30b9dc9152dec05a93b617658e96ec935cb243b4d792554b9eb2606a9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 a7e0b28c2e093964aad8a05ac8a9c373
SHA1 da7e0a9d8f9161a2a4af1599789894971746c7d5
SHA256 bb42c99a0d7fc5cad28b802b7211bcb1f4105dd5ac9ea02d322c802a5f724206
SHA512 a5094805a175f44c7a42786f5bdcb03a366ce1a2a73d6f982ba5460f1575aec364c38bc25e7814f36ea8ba44365cd41068fc66d916894072f8caf1aca2f2d5ff

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 73d72ba35f9d4ef20844f62bd2cecea3
SHA1 587d4f0572240c727e440fcbd8f0fee3d1e85e2e
SHA256 15267507b4f625837df5e1d14b7452784ed28cbe372b93aac0f619c53a8254d4
SHA512 066532617d3a9bfb553f32800c01fd6b196580c603b1dccac66e8bf2cf7ca97055bd9be6122b9c28b2ae903932402e71e43ec016fc0a4f31112cd4d7cf0e41d0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

MD5 33e7b771784e040e4f33cbf8aa5b14d2
SHA1 f7faf47d90c7766a635db93b046ea9ce5684bac1
SHA256 a8908c59168c0072e5ad9d5a5faca96f2d00a3735d4e263d937451f0d059e481
SHA512 973b23eda93d2502769585c40c5e7d4448aefa53e88db1259a30d3de127932cbdaee3c8960d4bfefb00c78d0634ad374318ab479d63dcc45fbb31de9f8c4063e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

MD5 367d6749aabc56bcfd8fe6f68e8ec07f
SHA1 94603bfd837a6cc48b0b413d97e6c21294139f01
SHA256 aba7125a597cbea4846b275de47b9e35fb42202d217c321ad861b09d3b831b5b
SHA512 737b43474c49d945fcc767a082ae79734333de55374c35825993539376577af76175a966e633b8224b4ede6a42738f3298e5c42d7a307f37897857c7c65842c7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 b63f6e868a85e19458c5cef42d5fc9c0
SHA1 13a7faec8f6142444776991e12c19f494746e7a9
SHA256 4d3535024d299b7369c90e46bd2ea61dc22802cbf11098a724a21d85b96ae812
SHA512 a06e7ec57f89ef637b62455e977bfd9eb3d9554c6a1c3a36ac39881b9e253ef40d4cf389517c9a6e233f7c49ae0b37d783bee3fd0a0dc8f530373a646da89390

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\d0836055-9a4f-4ccb-996a-c51d072780c7\index-dir\the-real-index

MD5 22ef53a1c52d8ad0a219e367e177a399
SHA1 2057c4cdb8af2d27b66340999f21d986e2c97fb7
SHA256 c4f5d44b13f07e79b9aa201eb2bb2c14aab24743684c250578a5b99f7fbbf7bb
SHA512 1531385696d7ed2894da58dcaf2eb21979a2556a7587a99699737436682e39394d5f499c535f37cc725466c2ecc39d9fe1d6225fb3e3c1da685855208d9a4759

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\d0836055-9a4f-4ccb-996a-c51d072780c7\index-dir\the-real-index~RFe5a131c.TMP

MD5 0274a1fab07fdaf5f6aa23c7adbc5016
SHA1 4d31f066547a849d2871e07e782f85806fed4902
SHA256 47cd77bd7e8b23ef6a042fcb2e314e3761409d652353ee8159d351763185ba11
SHA512 0c6d279f2251e885b8f16269df254ec58c0b050e3060814271862f0c68e1cf031f9ebbe6056f10322c6fc13373d5979813435ed92e94d85a57baa0dacbb9bea0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c79effaf0eeb34b5153ccb2beb7c2805
SHA1 bfce41cb143c309a6715c474ab6c802d172ceabf
SHA256 073a99215d40c5cc21f2021135299b48cbc3a94a3495a5e57ec378d887af4dbe
SHA512 f46d81ee0f775bf7e5c41a4d474e828f00e71334884c285379a047367edb3e6e9aeac266e1fc0902ac8654c3eb3461011ede2639a43256de0082311c3e592e6c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 764056d802499125915e82c3d5cb3662
SHA1 710157c4c7aca1519e73535e833e95d5b13b7d18
SHA256 779404dce6c1b1a15ee663434a31357aa82374147cfc247566bcc79e05eb8ae1
SHA512 d1beb3bd16d8508a9abb306c51615a1c5df732571d9e2049f0ea4576a6203204fd585f76ba65644255b5a6708bc603219d830ee37f13e98faed9e51cda17d7a3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5a131c.TMP

MD5 1ebadb5cf4c78d2e55196cb4b1a87e90
SHA1 46073bf7413910a882207c38a1b58d72617eb463
SHA256 3038f8447699a3102bb7f3ac20ff7c37ffb1151514f4f90383c5d7866eff99d1
SHA512 bec0968786ab091702c0831fe577b21e213ce8ee12aed13b3217576390be495ff63ba3272d69e7d4734411797f002a7afc8a50982d5f2e2ea904709e478958eb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b56e6181a087011198eefa5baa6b86b1
SHA1 afdc637e3ce0f4d76e61ea39a43c63b9aea2ea89
SHA256 e90f0901568e83af77c4165da3b403aeec72908b540cb5e7f0424dc561395dbc
SHA512 fef3a6fcd8c9ae0bfbc20f9880ec51e7e37715037705b9ecd2f93fbe418ac3374a095cef586acf7aea4035ec99808d4e6f14c63202f6b0953616c47bc4a4a400

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 10f6522403d43ba2cdfb9a2e0a7aa4d9
SHA1 1c99d803a7a087504f0cd816f2ccea23b9326ac4
SHA256 09bd4dfe25c9e57cc7c4885af388e3d849a9e30acba3c5955b7db1006b2276ce
SHA512 5712e541169d38ee9b0da4ad3c19e56c5d317baa5db0e669e177727b60f9efb52d032503347e99bedc731810b74b5b456038b5a4d0baa9ec7341cb94575580a2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 11e7d5348939cb9cc3091bd38536c5bc
SHA1 f1dd6d00681e2b13dc0e442a2884894b6c5b515c
SHA256 8d71ff322927c5ee0b58677679aa6252fd5dcd9597f5c1bbd11896033db47b4d
SHA512 939f8af45556c95246e27e2224afa40a50fdc016a9158c80c2530dd9467eb02cc263d8078899c615526bc1f4eb8f018227b07234ee63ef858a12712c26da92ec

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a1406.TMP

MD5 a39c56e8d4816d477617f6fb4890b65e
SHA1 507b642a75524f9be0fd7cb52d84900c71821e8d
SHA256 9b2e32389084b4902c38afb0071ab88ea41f08fd3322fb7c04e615089ee58fa6
SHA512 203bcc1e8fa96c31c24c7ae5159648f51dce898bc78db425993be2ed9a35c1a65e635d90b34fb8bc75f806a3c07f233c061a0ea2fcbd71f4c94af42a15e84aff

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 5fee17f34b4d7770f028141b7bababb7
SHA1 10ed08905db824820212bee9248afb3f88a3b643
SHA256 69543c702561e69227df5521e5a89cb1794055fdb67cca7d7c2f4ce82f5fde3f
SHA512 3ae2974fa64a4462acbf7745648fec1d4da0b06ec108fc5f64758c95baa41fe6af6273f16835711ff5a48c60efe01227d41e6acbd252f09d0ef2f9e135ad5fbd