Malware Analysis Report

2025-01-22 08:42

Sample ID 241027-shx1eswqft
Target Sodastream_logo_2022.svg-removebg-preview.png
SHA256 1d62cdf72a651270712fccd43f749f8bbd97bcb1578652c301d6f4f3ffb16021
Tags
discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

1d62cdf72a651270712fccd43f749f8bbd97bcb1578652c301d6f4f3ffb16021

Threat Level: Shows suspicious behavior

The file Sodastream_logo_2022.svg-removebg-preview.png was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery spyware stealer

Reads user/profile data of web browsers

Drops file in Windows directory

System Location Discovery: System Language Discovery

Browser Information Discovery

Enumerates physical storage devices

Modifies data under HKEY_USERS

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 15:08

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 15:08

Reported

2024-10-27 15:26

Platform

win11-20241007-en

Max time kernel

1070s

Max time network

1079s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Sodastream_logo_2022.svg-removebg-preview.png

Signatures

Reads user/profile data of web browsers

spyware stealer

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\setupact.log C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\SystemTemp C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\setupact.log C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml C:\Windows\System32\oobe\UserOOBEBroker.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "14" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133745155851415389" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\S-1-5-19 C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\live.com C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\live.com\NumberOfSubdomains = "3" C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\fpt2.microsoft.com C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\account.live.com C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings C:\Windows\system32\calc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\system32\BackgroundTransferHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\live.com\Total = "0" C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "124" C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\fpt.live.com C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.com\NumberOfSubdoma = "0" C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "0" C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\login.live.com\ = "124" C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.com C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.com\ = "0" C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\account.live.com\ = "0" C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\account.live.com\ = "0" C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\live.com\ = "0" C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "40" C:\Windows\system32\wwahost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\system32\BackgroundTransferHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\login.live.com\ = "0" C:\Windows\system32\wwahost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cloudexperiencehost C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cloudexperiencehost\N = "0" C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cloudexperiencehos = "0" C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\live.com\NumberOfSubdomain = "0" C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\live.com\NumberOfSubdomains = "1" C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.com\Total = "0" C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings C:\Windows\system32\calc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\History\CacheVersion = "1" C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\live.com\NumberOfSubdomains = "0" C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\live.com\Total = "0" C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\fpt2.microsoft.com C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\fpt2.microsoft.com\ = "0" C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\account.live.com C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\signup.live.com C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\MuiCache C:\Windows\system32\BackgroundTransferHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CacheVersion = "1" C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DomStorageState\EdpState = "0" C:\Windows\system32\wwahost.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cloudexperiencehos C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\live.com\ = "0" C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total\ = "0" C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings C:\Windows\system32\control.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cloudexperiencehost\ = "0" C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\live.com\Total = "124" C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.com\NumberOfSubdoma = "1" C:\Windows\system32\wwahost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings C:\Windows\system32\calc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DomStorageState\EdpCleanupState = "0" C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cloudexperiencehos C:\Windows\system32\wwahost.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cloudexperiencehost C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\login.live.com C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.com C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.com\Total = "0" C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\fpt.live.com\ = "0" C:\Windows\system32\wwahost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\system32\BackgroundTransferHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\Content C:\Windows\system32\wwahost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\system32\wwahost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wwahost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wwahost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wwahost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\control.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\control.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 704 wrote to memory of 1900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 1900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 3016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 3016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 3016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 3016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 3016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 3016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 3016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 3016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 3016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 3016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 3016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 3016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 3016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 3016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 3016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 3016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 3016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 3016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 3016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 3016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 3016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 3016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 3016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 3016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 3016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 3016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 3016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 3016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 3016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 3016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 3016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 3016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 3016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 3016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 3016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 3016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 3016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 3016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 3016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 3016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 4892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 4892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 4816 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 4816 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 4816 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 4816 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 4816 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 4816 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 4816 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 4816 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 4816 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 4816 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 4816 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 4816 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 4816 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 4816 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 4816 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 4816 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 4816 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 4816 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 4816 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 704 wrote to memory of 4816 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Sodastream_logo_2022.svg-removebg-preview.png

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService

C:\Windows\System32\SystemSettingsBroker.exe

C:\Windows\System32\SystemSettingsBroker.exe -Embedding

C:\Windows\System32\oobe\UserOOBEBroker.exe

C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\oobe\UserOOBEBroker.exe

C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding

C:\Windows\system32\CredentialEnrollmentManager.exe

C:\Windows\system32\CredentialEnrollmentManager.exe

C:\Windows\system32\CredentialEnrollmentManager.exe

C:\Windows\system32\CredentialEnrollmentManager.exe

C:\Windows\system32\CredentialEnrollmentManager.exe

C:\Windows\system32\CredentialEnrollmentManager.exe

C:\Windows\system32\CredentialEnrollmentManager.exe

C:\Windows\system32\CredentialEnrollmentManager.exe

C:\Windows\system32\CredentialEnrollmentManager.exe

C:\Windows\system32\CredentialEnrollmentManager.exe

C:\Windows\system32\CredentialEnrollmentManager.exe

C:\Windows\system32\CredentialEnrollmentManager.exe

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?LinkId=335789

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff9f5303cb8,0x7ff9f5303cc8,0x7ff9f5303cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,11139641516628200131,11407646934365459864,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2084 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,11139641516628200131,11407646934365459864,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,11139641516628200131,11407646934365459864,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,11139641516628200131,11407646934365459864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,11139641516628200131,11407646934365459864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2032,11139641516628200131,11407646934365459864,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5224 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f36ccc40,0x7ff9f36ccc4c,0x7ff9f36ccc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1772,i,16785508636775544209,11493456567284492242,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1764 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2128,i,16785508636775544209,11493456567284492242,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2140 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2188,i,16785508636775544209,11493456567284492242,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2216 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,16785508636775544209,11493456567284492242,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3100 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,16785508636775544209,11493456567284492242,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3340 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4424,i,16785508636775544209,11493456567284492242,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3540 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4228,i,16785508636775544209,11493456567284492242,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4564 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4636,i,16785508636775544209,11493456567284492242,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4324 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4324,i,16785508636775544209,11493456567284492242,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4644 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,11139641516628200131,11407646934365459864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3344,i,16785508636775544209,11493456567284492242,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4776 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2032,11139641516628200131,11407646934365459864,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5696 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,11139641516628200131,11407646934365459864,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3884 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3204,i,16785508636775544209,11493456567284492242,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3216 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4860,i,16785508636775544209,11493456567284492242,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4868 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,11139641516628200131,11407646934365459864,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1

C:\Windows\System32\CredentialUIBroker.exe

"C:\Windows\System32\CredentialUIBroker.exe" NonAppContainer -Embedding

C:\Windows\system32\wwahost.exe

"C:\Windows\system32\wwahost.exe" -ServerName:App.wwa

C:\Windows\system32\control.exe

"C:\Windows\system32\control.exe" SYSTEM

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\System32\srchadmin.dll ,

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\calc.exe

calc

C:\Windows\system32\calc.exe

calc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\calc.exe

calc

C:\Windows\system32\calc.exe

calc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa3994855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 cxcs.microsoft.net udp
GB 2.18.27.76:443 www.bing.com tcp
GB 23.62.195.195:443 cxcs.microsoft.net tcp
US 8.8.8.8:53 195.195.62.23.in-addr.arpa udp
GB 23.62.195.195:443 cxcs.microsoft.net tcp
GB 2.18.27.82:443 www.bing.com tcp
GB 88.221.134.2:443 tcp
GB 2.18.27.82:443 www.bing.com tcp
GB 2.18.27.82:443 www.bing.com tcp
GB 2.18.27.82:443 www.bing.com tcp
GB 2.18.27.82:443 www.bing.com tcp
GB 2.18.27.82:443 www.bing.com tcp
GB 2.18.27.82:443 www.bing.com tcp
GB 2.18.27.76:443 www.bing.com tcp
US 150.171.74.254:443 bx-ring.msedge.net tcp
GB 2.18.27.76:443 www.bing.com tcp
GB 23.62.195.195:443 cxcs.microsoft.net tcp
IE 40.126.31.66:443 myaccount.microsoft.com tcp
GB 2.18.27.76:443 www.bing.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 106.201.58.216.in-addr.arpa udp
GB 172.217.169.36:443 www.google.com udp
GB 172.217.169.36:443 www.google.com tcp
GB 142.250.200.46:443 apis.google.com udp
IE 40.126.31.66:443 myaccount.microsoft.com tcp
IE 40.126.31.66:443 myaccount.microsoft.com tcp
GB 142.250.187.206:443 play.google.com udp
GB 142.250.187.206:443 play.google.com tcp
IE 40.126.31.66:443 myaccount.microsoft.com tcp
IE 40.126.31.66:443 myaccount.microsoft.com tcp
IE 40.126.31.67:443 login.microsoftonline.com tcp
US 104.208.16.95:443 browser.pipe.aria.microsoft.com tcp
US 20.42.73.24:443 browser.events.data.microsoft.com tcp
FR 51.11.192.50:443 eu-mobile.events.data.microsoft.com tcp
IE 40.126.31.67:443 login.microsoftonline.com tcp
IE 40.126.31.67:443 login.microsoftonline.com tcp
US 20.42.73.24:443 browser.events.data.microsoft.com tcp
US 152.199.21.175:443 aadcdn.msftauth.net tcp
US 152.199.21.175:443 aadcdn.msftauth.net tcp
US 152.199.21.175:443 aadcdn.msftauth.net tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 50.192.11.51.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 95.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 175.21.199.152.in-addr.arpa udp
US 152.199.21.175:443 logincdn.msftauth.net tcp
IE 40.126.31.67:443 login.microsoft.com tcp
US 104.208.16.95:443 browser.pipe.aria.microsoft.com tcp
US 20.42.73.24:443 browser.events.data.microsoft.com tcp
FR 51.11.192.50:443 eu-mobile.events.data.microsoft.com tcp
IE 40.126.31.67:443 login.microsoft.com tcp
IE 40.126.31.67:443 login.microsoft.com tcp
US 13.107.246.64:443 aadcdn.msauth.net tcp
US 20.42.73.24:443 browser.events.data.microsoft.com tcp
US 13.107.246.64:443 aadcdn.msauth.net tcp
GB 142.250.179.234:443 content-autofill.googleapis.com tcp
GB 142.250.178.14:443 clients2.google.com udp
GB 142.250.178.14:443 clients2.google.com tcp
IE 40.126.31.71:443 login.microsoft.com tcp
IE 40.126.31.71:443 login.microsoft.com tcp
US 13.107.246.64:443 aadcdn.msauth.net tcp
US 13.107.246.64:443 aadcdn.msauth.net tcp
US 13.107.246.64:443 aadcdn.msauth.net tcp
US 13.107.246.64:443 aadcdn.msauth.net tcp
GB 51.11.108.188:443 nav.smartscreen.microsoft.com tcp
US 152.199.21.175:443 logincdn.msftauth.net tcp
GB 13.87.96.169:443 data-edge.smartscreen.microsoft.com tcp
GB 13.87.96.169:443 data-edge.smartscreen.microsoft.com tcp
GB 13.87.96.169:443 data-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 lgincdnvzeuno.azureedge.net udp
US 152.199.21.175:443 lgincdnvzeuno.azureedge.net tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 188.108.11.51.in-addr.arpa udp
US 8.8.8.8:53 169.96.87.13.in-addr.arpa udp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
US 13.107.42.22:443 signup.live.com tcp
US 13.107.246.64:443 acctcdn.msauth.net tcp
US 13.107.246.64:443 acctcdn.msauth.net tcp
US 13.107.246.64:443 acctcdn.msauth.net tcp
US 13.107.246.64:443 acctcdn.msauth.net tcp
US 13.107.246.64:443 acctcdn.msauth.net tcp
US 13.107.246.64:443 acctcdn.msauth.net tcp
NL 52.178.17.235:443 browser.events.data.microsoft.com tcp
US 13.107.42.22:443 signup.live.com tcp
US 52.167.30.171:443 fpt.live.com tcp
US 52.167.30.171:443 fpt.live.com tcp
US 52.167.30.171:443 fpt.live.com tcp
GB 51.140.242.104:443 x.urs.microsoft.com tcp
US 8.8.8.8:53 104.242.140.51.in-addr.arpa udp
GB 23.62.195.195:443 cxcs.microsoft.net tcp
GB 2.18.27.76:443 www.bing.com tcp
GB 88.221.134.2:443 tcp
US 13.107.246.64:443 fp-afd.azureedge.net tcp
US 13.107.138.254:443 spo-ring.msedge.net tcp
US 20.42.65.89:443 browser.pipe.aria.microsoft.com tcp
GB 2.18.27.82:443 www.bing.com tcp
GB 2.18.27.82:443 www.bing.com tcp
GB 88.221.134.2:443 tcp
US 13.107.253.254:443 t-ring-fallback.msedge.net tcp
US 4.150.240.10:443 management.azure.com tcp
US 20.42.65.89:443 browser.pipe.aria.microsoft.com tcp
US 8.8.8.8:53 10.240.150.4.in-addr.arpa udp
US 8.8.8.8:53 254.4.107.13.in-addr.arpa udp
GB 88.221.134.2:443 tcp
US 20.42.4.113:443 eafddirect.msedge.net tcp
US 150.171.74.254:443 bx-ring.msedge.net tcp
US 13.107.246.64:443 msedgetest.footprintdnstest.com tcp
US 13.107.138.254:443 spo-ring.msedge.net tcp
IN 104.211.137.143:443 5a38e14695e263b8060e10a399f1607b.azr.footprintdns.com tcp

Files

C:\PerfLogs

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\vcredist2010_x64.log.html

MD5 9740dc5235e25bc0b18f57662e0c0608
SHA1 580613b11115712bfed89de8e5fb1b8e001060fb
SHA256 a45911504f10e4ebdedd041d0cf174b64ddba209e6effe2a52294cd5f9c05098
SHA512 9f46232726bb758acac5d85424022e8fcfa14ecf5b0169b9721117c9e70a8aa1e1c907d1d09d97148072ac0219fbd0ac3fe8050a5d0a40d4b4b85daec7652134

C:\vcredist2010_x86.log.html

MD5 2d9b43d9cf9404dbbbe637b274460336
SHA1 3ec3d60d54ef3a42877bb9559c9ec49a5cf90e15
SHA256 e1100c6688277f1c65cae7672df11f488151cd336891b4909b8fb1065cd166eb
SHA512 e2232e611adfa1fc507c709cb5ec020c468521054b754178bab8d0c4ce13aa72d0bbc491f3c0727ddc57123b1be9b9a2ec51cdbaedf0450b5a0248e30e27203a

C:\vcredist2010_x86.log-MSI_vc_red.msi.txt

MD5 2e86c75b2fc1c2d554e11d44c280429f
SHA1 93c06449220db173313caee5c7031bb76888d643
SHA256 3cb93f264076a0dcb578b2d0f80d2c1100ae068f33a9152e053a698f8f45669c
SHA512 b3d367f68e5f745ef2e562537183cb25aefab086361d96e15f2f9931a43c536641753ea0f2dcb28e4925762335db60575ca94b8e7da7141eb0037d91842c458b

C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log

MD5 07e0ee0b82e8b2f4e9d322e633c341a1
SHA1 0ac1e2c1d1294740041cf56f1607057b994bb809
SHA256 9c25207438f88e0ffa8dae1ba94d1c41777d189cca2deb56c0f58fce9d5dc63a
SHA512 87d36fb221215127aa74033452e8667e15e505799cbab5b302c014a5cec3aa3c73990e3be17e3daed36bde35c29311419b7f3088e2a6bfdcabec78da48e15eef

C:\vcredist2010_x64.log-MSI_vc_red.msi.txt

MD5 0ffe07b4372e8a96cc296f6f70f9cb82
SHA1 7e9056d8273c3d53594062725686133fcbe25808
SHA256 b06866f3839b932f10a0bb2a0f455d3c3397dde84ffa717b6ba942087f1b9fb7
SHA512 110acabc88ed233c227f3fbe4106f757d3d0bd62c52609ee35236523ccde231852e4fe6c2a7c2c01d8c1601be8946c3fa3316e8866d03711300276a470fea0d0

C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log

MD5 06b4a609ee1a5c8d127bf25f92f21cff
SHA1 aec5707a704bee14c79f32369b9921887487c5db
SHA256 54c8b1c43a78aa872d02bed0af57d1566ec4bdcf4acc0dfd5c36cb7a36229790
SHA512 2a142dff771a7a04ff42fee65f85b7874c5fc48c66dd7ef47400922e4912866c9270306004f902b97ddd3acf1bdff405da18f0324c60e4f5f4d4061e5775080f

C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log

MD5 7ad624cac4b7c724a4a7d2a31e766fb3
SHA1 a7b4d0006ce1f340b2b9326beb021189ba8ea0bf
SHA256 c83a2911dcc04941bea0e1f5e1d141d0f674cd4dc533d41405ebcb0d6435309e
SHA512 e603feb050aa65fcc032c5956cb2da38cbbd5650e1fd9985090ee5a517365e9c6c23af42f02a936428aa9808212733a2f62a9776f4f897ad1aee84e705349e7f

C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log

MD5 7afb2eee3193d09737365ba9ee5385b0
SHA1 17dbeecb1168c62997241147f67da69416eac274
SHA256 ee077a858edf4929e179e6015a83e142bd3ba161e2fd8eae1b3b93ab2b6de893
SHA512 d457f9e32e967673eab1239d9121780ff06ce92d3b10e9a70ac72a800264677f2356c2cc1d1896878463d12ad6cadccf314fa31cd555720de8040c2b9acb1e06

C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log

MD5 1b67eae4371cc10110d6ba255601244b
SHA1 15d2e5b194a205beafe4df98e7731f086d149f5b
SHA256 94e17aa951b99980e95dd61f8f8427f851343b60017e6a2c55fad5abdcc4abec
SHA512 6c5ef16c527fe870a85fd22518c24e234ed26f0114013a3165f508e651bf2bbcb6ddd7833e5bc46a9eb83c3ade079494d8a0e95e46759475dc9c32c609b23be7

C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log

MD5 2e6134e9d0930ca14c891322919196a6
SHA1 db6c4b6d6b2c407bc69c00f6df3ad00e0e05a6a3
SHA256 f6c3c8460ddd938c41ff1bb65071e3027e9ae2c14546593144fc202330488a64
SHA512 fec20abe20997bf139e76c7a55a4007cea4d8b3e42e135cba7fb060d07383bc1508b99f6a8c0858ccbde1f5696ccebc79b8ea636f2a6ed1adc9f09464b8140b6

C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log

MD5 7a9db1cc5864d185919af1fa0dbd0ba4
SHA1 63bce8167408e4a3dc109ce9145c752c0e7bcdc2
SHA256 3ec636d99be1b8edd9415977b8a7aa6dc9c4d31ed663f3fd5862926a72244635
SHA512 5f3fa32c1e59e3c0aad1f394fa48acbfc5ac4f1b3e51e8a1ce131a69e5018a0a7da4072f2bc5062b9e8ec92e1c74c65a6222c37452b5f6fe0f61cc9243c508e3

C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log

MD5 bd67072a13084f8002e57be303b7668f
SHA1 ad65063ad2dc2652722d080a4e0ad368a64ba204
SHA256 8cd4a0da2acaca2aa97d1c127f78facc4762fb882bbd20dee2cddb5e2bbcac49
SHA512 a473413f9aaaad9bfd7d69a6216a6523c9ee25ba7624f41bb499390ce8ab3b944cf1c84592bef1093ed66fc505e687c339f2a542102058a7e2d4d5ed406bb64d

C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log

MD5 c0840d0bdc77fee06a6c4859ea1552de
SHA1 997ce3f68e3e88c3304399796ddd0b7459cc247b
SHA256 5d44c5a0666182646e48aac26b7a16c8adfbc7993a9c9764ce2d4873ed8520f7
SHA512 94716d430d5e08ac117d58a85a9b491d310681728bf12543d94f3225131ea2dcd62ee268f745a4cefdf85b3208498371f2c6bec0476a9b680df12c53e484c4c7

C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log

MD5 b1bb8107e64dad4993c9b0332bc70928
SHA1 b3dda2c68cf40a638a4c83e636172d19f0fed382
SHA256 bbd75e6e1588acbefa8c2799aa053d0d1d9a080ce48ed758ef374a00cc1d5056
SHA512 77e242e8cdb36804edb4ace6daaae091797466f6aa65d918cdaea4ccea2e5b4607659eabe383014dab87030a49b5099583b442bafa6a360d5204246d9ecf8fe2

C:\vcredist2022_x86_001_vcRuntimeAdditional_x86.log

MD5 bb95b1b9164d92fc3e1f5616e700593e
SHA1 c29daece171331fa3f599c4dd555604c962f4169
SHA256 bfa7014e0b1702a045ea9da87933ce05fb4dad95acf5bb80da4e042ef5a9c24a
SHA512 7aded98f014f7a09328d19660c20ded7221f099f6c393738dec703319c00dd3e4e8245d5f3d0becb81d666928e04cf917cb7547a50b6e8f4d2ba2183b5128a63

C:\vcredist2022_x86_000_vcRuntimeMinimum_x86.log

MD5 e77948d3628c1bd0a01baeef555d2fc3
SHA1 56d70e66fcb7325256bd4bbbc1c9944ba3b33d44
SHA256 efcf8abfc16f4ea5784e991759d26e78526d4a42159ba12839f9762c191439e9
SHA512 dcaeec2d2833af4db4e74d0fb3b80629dc71b811219edc9d4799a444dafa77496d4f51e9261952b0821862a2d8db6675c3c4f3904693a48dfe4c09f5cb4b10ac

C:\Users\Admin\Desktop\PublishLimit.ppt

MD5 bf5bd2ca59047b48e476ef8fe52b503f
SHA1 baa0dcb3a73b97384262279a27e45fedc2e0a520
SHA256 f3d1ade1f198c84d41acff584259f7a58be096dbdd97d288ade0e81bc0f12bb5
SHA512 845229bfa625098aed0846629479bfcec7dc3e39b8120acab67c4920e6b03dd3ec5fb66c6a4c5d67e7b64af9af3b68c96c777885b8c077862a9f36741f4671e4

C:\Users\Admin\Desktop\RepairConvertFrom.mpa

MD5 08a5874f5639a444f8e39b03c2f1d1ba
SHA1 da3965257f937917e5189400f9723b0c93b95e81
SHA256 76942199e2e303c90fd83ebded88589b542c05bd030f4c1183567ac2a3fa88fb
SHA512 8fbbcb6807b55b60bc34401a17de78241f7c5082bd10281c5b0dedae0569d98fbf48690634c63559c939b0ee676caff167b8757fa94fa2568a416908fe86aaa6

C:\Users\Admin\Desktop\RequestReset.rtf

MD5 050369a9c3f672e628354f5d71213229
SHA1 62fa75cef40515cbc5ec63516d883b2151ad307c
SHA256 ac881dad822314255a3796422ba90ac237cd92cf96de158b9df3df8170cecc84
SHA512 9af99e1401d3690683fb634d874fac6317ffb024666dd549802196615ec9ffdf08b98dc71fc405b4c10bdfe9011f4a7b8e6294c7d8afdcb17986c0788a9b81f2

C:\Users\Admin\Desktop\StopOptimize.rmi

MD5 33824694188d8fbd8d8696f3448232db
SHA1 6c08b340fd8f0d9cb9bf0126951488ad8d528343
SHA256 221d1f1a4c169e903fc24f244007ca1ae17ff6cf1c5f2ee491861302a936477d
SHA512 48a6c9a925d821034bbf6379e8074543e428aec98fe879942de0f0827afa9b94722fc23f4fd627ebd3d7d48b3d677d3a53893f0e3af1715e46e8252a6916c4f7

C:\Users\Admin\Desktop\SyncFind.xml

MD5 43a9374702518e43cfaf071a83295129
SHA1 5786693816d1829b2754858133a23d70a8b7aabf
SHA256 03c620ed27e1c1a7a73da897b6445b5202ee4fa5cda450a39fe60069a1d2fc62
SHA512 6fbb4005f2af0aecc6197a951d970bde80e901d0e27466c154cadda45d60c30d67868e2b537178d66cd00af1970ee6c772664842b13e6b43b6c89638356b24ea

C:\Users\Admin\Desktop\SyncExpand.wav

MD5 8cd264aa87c0eb3c2545c631426b0a2d
SHA1 cda91db05e216ffa5c9d98c54febb0a63bdd3ea3
SHA256 d883c7387e340f409836da69a9c4f8a660a942bb2476a1ebe53050647bb4c2c1
SHA512 61398b867373de1c105e59c40d8d14a79e0b6d5b853afc8d508d0cd6d1d3ce9d3c09ef527e33052c368019c63e497a7566d4c62bda43289183ab6a4129b77141

C:\Users\Admin\Desktop\SubmitResolve.css

MD5 251b23e6a0ce22b1b6a4697d07ae0b77
SHA1 118eb59a2a8f063bc5eeba1eab250ef2818a9706
SHA256 7e19fbc1edd7dce34b276bf6be7341229b080899384690fc1803d339a3a14577
SHA512 ceef2a240103edac1c125de86ef8e248dc2fcdd08028254352c228c32ad89dfe6cc5e0c2d1048e0e762b18566179972676520398e628bd4fea3fb41d2297b8fc

C:\Users\Admin\Desktop\SendMeasure.ocx

MD5 b37fcc4c454b6a15226c0f5b964d4311
SHA1 cde908ae1f1d4038fc35a138ea9b7d3e6429204c
SHA256 2d47a63bd169f72a4f0a1de31ebbd12da39ba06c44d03463329671abd2b59882
SHA512 57f63d89996c02604b1d93eae394d572f0c5e7554a5edf0b500bb3085505608f81ce65c664988e7a2f604edfd7ed5d0c0b350c7fb36133d2743ad95a8417af44

C:\Users\Admin\Desktop\UnprotectClose.rmi

MD5 d6fadadd747a9df25a4220671462c7cc
SHA1 2ad5bba2624b870328156d56262dd030a9458032
SHA256 2aca75405e1961687611540ab794ca9cf8e64b77be83d1f70511bbe2ddff8913
SHA512 d2c284682a39226b040df1130c615e8497e87eab3690393ffc4c2828c2db6356a2b81dbe791f1b9cb51a988a006432e661372d04765f537ca8b48d7c274d7d94

C:\Users\Admin\Desktop\WaitPing.kix

MD5 f04fa9637933605f367de43df10f7f50
SHA1 8a6d72c46eb97bbda6d29e53b8d6c2bf87781309
SHA256 8d848b43ae9a90c7c346ceaaea12432cb0863702a0544ac8b51bc33cac7ef3f3
SHA512 ee21ea7b053101255b460f61401728df8194ebe38f192ab26f7175e821f3a8fddaedbea87c227444f7378a85b82e7ee5d62b3b69065fc54ac3b99330ccbcb17b

C:\Users\Admin\Desktop\BackupFind.docx

MD5 71299ceea658d099688d0b3f6dd485d7
SHA1 6966d7b6eeff47ed1f05530bd30ab2d85729aa0c
SHA256 21e342048c9e77308cb5a7cd4c471cc75af23b9d202c0adad68c9583e3da12e9
SHA512 0508daec44a05a22acc777d38fb451f3e9fc4e7443b4e2e31822b3f8ca0319b553e2f8f9bef2199b0c8c0b14ff722cb302afefcafbaa6439879784529803a4f6

C:\Users\Admin\Desktop\LockCompress.docx

MD5 6333d6872680f6479465c6deb4b1519d
SHA1 4b9391d0847f89ed79c0c1252397acab11adde2e
SHA256 12479333f63d2221b2e9f24a55dc43ccb29ba9210864ae59feb1aef6a0d359e8
SHA512 fb5c9318678aa2cf4e65a3ab5e8fb02fcd030a592aa30dd2268d45dc09d9f435a60190aa6e09117185a96ea0d1228cfe10613439d357d9e248b0ed7e96bbdf95

C:\Users\Admin\Desktop\GrantConvert.docx

MD5 e4922d36d1b7b9d4818c6761b4a54dc8
SHA1 0362b981fadfdcd103e24c9119fe21683f4cfc8f
SHA256 1344f75940d2fa35716706b4489c2e5f0fe146be599a72c7e3d5d88599746f79
SHA512 1e4d8c420215e95bb2a9eeee0499255b5b4416500a53a2c1b60c974b150ab261866e16ce92d847f69594aa8e5a7c1c1cd87d74a6583fbcfae89abb7e84946836

C:\Users\Admin\Desktop\SendEnter.xlsx

MD5 827acb7354ed11ef2d4969ddd3113efe
SHA1 965c47094fc1de5bea6eaecb3127d38786d71e9f
SHA256 03d6fd2e8650262afa2956d31948910b9aee694b1acffa5be1ad18c058c7d1f9
SHA512 2e1b604da99c7478c9d9081f3044dc45974e1eb53285a6c1151696e2290b1d0cc161a13d3b0566acda9f1ddb54ed69979ac4c21d00a8c1398c1aa77f066d6a39

C:\Users\Admin\Desktop\StopRequest.xlsx

MD5 4e709cb06276a2d12a8973babf7ca909
SHA1 17cdef382e28a2efb96a87ed0bc394da6748a41a
SHA256 86c2e89c87107fddfedef997c8e4291560121797ee4272550a0807d9f4d69132
SHA512 cbd4b9d938f849f2a33bc0df80622d820d360b7112e6a148228206e84bed4ac5b37521a6c4e436ec31aba450ca0a7764711aaf394e11337f0debd32be63d4edb

C:\Users\Admin\Desktop\StopJoin.xlsx

MD5 386f7c658b68dfed95d5a8dbe9a09ff4
SHA1 29b3aef73d1012aacbf7001a1b8256e2e87228d8
SHA256 358dec947099139749f8a53410fba2490cd6a9f15676351e81fb9aeaf57a27a4
SHA512 bfc4941bd27e396ef4496c599eecfc07afb7deff505a7c8da1360697fd6776dcace3bb26daa4cacc49b5f7fad839ce861f03cfe7a3117dab4087499971eca3eb

C:\Users\Admin\Desktop\PublishSearch.docx

MD5 c55c29a8a304cbca5c47670601c7eb4d
SHA1 52622d4b17ecd12d0792c3ed03140187f6595a17
SHA256 9b00d30a7f38066962ff285196025bde385b66cdacc0fdf6c038a9b2296ae95a
SHA512 75fbd5931bbb6b3e1c62f5173daf2bde9925d3e05b866bf14cf49a611d4341576f2a852ac350293b46d17df522e6ee051a7ef53acb1e6334bdc08094d61d780f

C:\Users\Admin\Desktop\ConvertClear.mov

MD5 ae32ab9bc775a6d02f80138e7ad89293
SHA1 29390df0e453e2ede710c65ec3ce416f0c40c406
SHA256 d69ff054b8f086bb4df04265f30be3b7dac51ef8ded65921bdcedf805359a851
SHA512 ee6b3888b388c58d7ec290db603ac455213c04cd26d4b653db29a8cd8ea41f94c9a2a280ed53e2f930620751a86c56b8fd5d702a89edbcca7b53e1dba58a1662

C:\Users\Admin\Desktop\CompleteRestart.wps

MD5 c88e93fca7e86226b7d3f46b33885337
SHA1 78a4e050384fb3b59cbd7631303c8623790e4c5f
SHA256 73abecaef1e32bb6b6086a7265d2a7fd0a588d8acf981a90b57ddbd5ca86606c
SHA512 2e5632d9c241b565ac4ca06182db3e1737cef0a48598d6019d007ad0f7f733d3e18868a76f5f012b792f05d38c9caa8ad47e11a23551ec81dfb7d4fcf385a3a6

C:\Users\Admin\Desktop\CompleteRename.nfo

MD5 36f07bad2758c4b8b5dacd5291751b81
SHA1 dba7ed014d047fc88304dda8fbbbc6e7f5c0f0c9
SHA256 e1eef6d351964d01cdea810364903d93482928bdcb65d3d764398943c0be38fd
SHA512 328dec585deeeca9de02460f39ddb63758641c0ffa9ff31c24627ab6b34b75fe00f65a0ab47ca329cf9bc6ba15125bc0dba7e4f83bc68b68cda6b7904fa8075a

C:\Users\Admin\Desktop\FormatConfirm.wmf

MD5 8f245be4c9322e6e14c3955c5bbbe371
SHA1 ea694ce0e24db8ee388c3f470d69cc1025cf14fd
SHA256 f8d5a5e1b421e77c0089f35a4467f448a5867474c9924417a59d18ae0da6e78f
SHA512 d2aa9d67886b2a80efaf3434f7426e6b452fae6be63343012155f866dcd2338a2e8513c39013231a1e35d8c9911c2d1886c4ffef879064ab4b0aee31c42b4e1c

C:\Users\Admin\Desktop\PingSwitch.ps1

MD5 2fe82c341cd156aa2c32ae0d947c34a0
SHA1 63204c670636b628a3d729603d511319ebcae368
SHA256 b9522a988077d4299d808621c59433dd80e27f84ed51eb35e4af821aee70e1ea
SHA512 74fc75ec6861774bfc62b9c0822aca65a4f86830f623c961d1912df7137772f8625b453781d3c41435c6b1a8db145781efb818fd6ad2ef1a46b670218003ecb1

C:\Users\Admin\Desktop\NewSuspend.gif

MD5 4865ea79dc7252facdd7e7ae87bf667a
SHA1 93e0d2b832b29c7896ccb0fec1ec26766dfb00b1
SHA256 d014512dc4ba7f1aee0dab0b29b0d7398834556c93fda4d95c6c1a6aaf5c7529
SHA512 661e6df772039e18d290aea1a60f441f4fc09e2b145e0ce7a195d63613f3e05ea77db45a264c419303ba38f56d0677f52f0fd5ca1d8db4479ddb504b398c85a9

C:\Users\Admin\Desktop\NewResize.mid

MD5 a971823c72a6d9bd269b12b58660eb4e
SHA1 fdaa6c30c1de52b594d7c16a995d6d98179ac667
SHA256 664d129aae44d6e291dd820a67f84a08687ba9944a3e7588d50f0e897caa20c8
SHA512 edd8604a12923f47dfcf3c076d3c703b599c8da836149ff9dfaf605d56aef551c87bc71479427a5ccebd79b58966e92b0e629eb021f22796187df2f2940c6ad0

C:\Users\Admin\Desktop\MoveConvert.mpeg

MD5 366588b5444b866e884c8aa9ff17c2d1
SHA1 744d3d6b7c2c0549fa5e108adb4f41e98c4d7d12
SHA256 ddbbede6577ebb2534712faf7bf21cee439b3fee8b879e8e3970950129e93fe0
SHA512 9243d2dca43ebea41aafda48eca266fa8d0b9cbff2338919fce20545de652bcc49b5426c2e14986aae1d9e4721812861032cb5bef613eb4e8344b4aacb75c1e0

C:\Users\Admin\Desktop\MergeBlock.bmp

MD5 d92f5696650504320fb7c8397a924b40
SHA1 7ab81b0d260b558735abf14795722b9e28545458
SHA256 559a9159764bd47e7f3c9a9c1b5fc232fa9a2ea52e130c4ac0ea2d9b6439ec25
SHA512 333cf5be0fce69d9eb6a4be9885b9d66bc233c0836aa71d84c7c683c236b4d89f26f3446248e9e4c73c54c2e510ba69478fb50d33bc76d16b6e9ec0a82c01ef1

C:\Users\Admin\Desktop\LockMeasure.eps

MD5 eb432242c8d65a063c8dcf47ee4ac441
SHA1 113c01ac31a5a1c11fbe3d5bb0d75d0465578e63
SHA256 7b842b46020a0dfe88d487e05b80abd858179484d5864e3aadee9876e53c946c
SHA512 6794e58cad47f8b03565695993e233dfb781a444b2ecf194dfd9f23540eecbc004e5625b8274977e443714aef82b1eb280d97c5c4df063fe031432a5a60bc168

C:\Users\Admin\Desktop\JoinUnpublish.temp

MD5 4556b26cec07758b71dc46c47027a15c
SHA1 eda3a5c6e0c7af4df97d343705396113dcf72c8c
SHA256 4554510f63137890b35f0ca381fcdd26c03e737f51d0f9fceeac0750eb8105ec
SHA512 5e6ec1745b61db1c9f40376b0f4138bffccbfe68a3639bfc7acfc0139451379130adb7ee03906f567c5ca88714059a08b0ce1f2bd221e8318a89063f27c0d0ee

C:\Users\Admin\Desktop\JoinSync.wmf

MD5 3b142a01a8238e14df1c249e7c6b990c
SHA1 ea09295ad2ed79348a6c26c542c36a6c797e5045
SHA256 6625e6279c996db024eceb14a1c05fb5af4c2e447a9509d31695900a9058cee4
SHA512 809d41b55a12a82fe5daca579b59af7b9ebf633eeca96800bf825fe5559c98fa9cbdd110b950943deee264eaaa22229e5dc1748b6fb4c50a43b754a6482442e4

C:\Users\Admin\Desktop\JoinCheckpoint.js

MD5 739db0fe7c2f90ef837150f1aa6b33f8
SHA1 827254cc0348fc9e1ae1602c8ed5ca1b5eb0592a
SHA256 ff6a4c4f12b59a6cbf7f8117fb50d9f253bee429f73eea8a695d0f877c6c97c7
SHA512 a8c5a14c64a4dc6596abf1a0de54b077c386a6fb84a9de58f806ce55c7678bfa13910fe121b0fd3090951df77b08273a07ed9e19205a514e5bc56ed065ac0947

C:\Users\Admin\Desktop\GetMove.rm

MD5 e31ac0d99036c52632a183746f129463
SHA1 c3e72119f9a2378fbea6475645d86060c771ea55
SHA256 90a60f589381eb1f1610d9d7d34534937e3064b0ac5acab3f8477bd1354d83cf
SHA512 3eab25188bad8ea6696ea027785e7972288bc5d037aa87bd67ca404d540a11b1aefe19def5c309af839206df41ef9caaa28c419d490d23e4e911d85de624e1fb

C:\Users\Admin\Desktop\DisableOut.avi

MD5 283248e04e139ebea3e039be94adf420
SHA1 d3901241343452e5d83895928742c8423f2d43fc
SHA256 2ce49138097fb916d2406b756737c6f3fa34cfbb79f8e0d3424eb2c13fa1223d
SHA512 c8d26aabb51904bd0640572cf65dfe5e3882f9f0ce3dcfc67d2292973944fd5cf4bfe7e65e0dd4776eaf0c8d5f895f48d3ec3a21eba265b9b2d927c4e0c21356

C:\Users\Admin\Desktop\CompleteConfirm.odt

MD5 ee300dd936448beea0fd96a32cb722fc
SHA1 761139f89eb7671777833eb19f9642026a731e15
SHA256 0e45d23da6523a477080270e35001b8e627d0d2ea9318137f01a1f1a574e8682
SHA512 fb0b56be5df6bfc356e9509e21e5bfce8170d91760b7807b0024b245b2ed267304eaa9071921fd0fee92cbce5f041025fa934bf9e01b975f48ba6ff8789d2fb9

C:\Users\Admin\Desktop\CompareResume.mpg

MD5 49afc430a9a08a30ccde0dd0a463931c
SHA1 f350ba4e1e714ec4e3d43d5aaab594ab76e6fd17
SHA256 c4f89587df8127657bd2b94338c12ee67ae50a9dd3f8a7381eb1ab7d9ae67846
SHA512 9315afa5ddf31ea0c4173551d351e032deb98cbfabc0cbc74d10b217b093c93e181ce4f8e6d2f7cfbf663664a478f4bfc3c1abc30efb04090a7fd84ab673aed3

C:\Users\Admin\Desktop\BlockWrite.xlsb

MD5 f6491a422563335813e274abf5c48b90
SHA1 6853ac34a3a166ba3f6b169670ce06f46a5ec489
SHA256 52ec42d0930fd88ffa88b8bd6682abd6cd54af6f51b1ce7919fd0caea6508e17
SHA512 dccf9af964e1b1eedff7816007be74126656a7adfdebc2f20c16d474011ab4ab9917c5c8e0a9494f706e189998851f3de69570f2cd0e8ce00afe3236040cfcb0

C:\Users\Admin\Desktop\ApproveUninstall.TTS

MD5 0985a090e9a3c0f3ad596dd4b1730cda
SHA1 e72469ed97e9af4d1a64e7283daae395869b6168
SHA256 ebabfe291b281cbaf649ec8a3e49376328be866969207cd7eb09351f7db5d471
SHA512 bda27a3859cbdd9b1916e52940d92d8e918002367b074264122ca49c85a5394231010a569d780dd0c8a6608fc9968862c8cf1d13ebecb1d51000fe5081ebe189

C:\Users\Admin\Downloads\EnterPublish.contact

MD5 605ead69851b366d70f89a9026ab37f8
SHA1 f99892ea68c4ae72e1581483b1ecd838a47cd84d
SHA256 2ae6ea6ba1260685c31d29def520a7f994ba86e4d9f17702c0ea51e4f68173c0
SHA512 81fbe2d651d28c7e5fabebca71ceae59ba3f81bc86f6a2854010581edc925640dbecfda8e86c0406ebc41f72e7e922f1bdc0680e1375a5388c260907059392bd

C:\Users\Admin\Downloads\InstallSend.emz

MD5 4bbc9b7b5f1a876ba8d1fd35ca9902b5
SHA1 0a67ee593af6d7a1593db059fb689ed5e9a879ab
SHA256 86d4a190957cb5836cec03178759ae5196a31bbccaf6c55940caf1aaf02fe2f0
SHA512 7eda0077bd7eed038193bc655075f121ccd825132d0b92d21ec4f72f47602a92194414833d715baf389aec5f51271293fd2fd36a28dfa5c60b933f867ef71d92

C:\Users\Admin\Downloads\BlockSelect.eps

MD5 e7e3f0164c6627c159d178c2559813da
SHA1 c59ef9f37465f466f4bd624e798a1773509a640b
SHA256 2ded4afd887a128bd6b152ae93f09d19562c6813f134f30bb3cb6141f2bf7f09
SHA512 f01ef7363d839fa41b7127873b6a2aa2c0b8b5a90519e1a70e20cf04305a0628b55c9789aebf1c66dfec8f468ee249f7f58d50c19e2d41bb2b846cbb33ad26db

C:\Users\Admin\Downloads\RedoTrace.otf

MD5 9e0f5bca4d737f55ff36b369fce3488e
SHA1 db158f7be79b11b65ad4b0d4f7531e52940c8b00
SHA256 9e78461c034131cf868a5c6d4b3c2373376cf832327fb98c8ff7c8b2ac079398
SHA512 40c8a715a11c0be96184b662b2dc4f289109959259443fe77de27d4ea1e62811e6462d108e6387df4ccb34a68b6cc024a9f64f6d80a90a9bf5dea23da4d585a6

C:\Users\Admin\Downloads\SetUnregister.tmp

MD5 8e581898fe65f965ceafcf57f464c4b0
SHA1 cd145ed69e941b540aa1ff5d620f1760aff5f2aa
SHA256 87107b7d83f2678bfe626d8ba6dedc870194877e6429135f267b50e4096f7a19
SHA512 b4caec4565afcf4affae0009839f6b316414486bba8097a509f0cf570d6118faacdfbda711bab94c5e3b354a11706ae0faeed80255bdf54c6bce031d75ef4222

C:\Users\Admin\Downloads\ResetEnable.mp4

MD5 c4f334ab44057d489b71418a6bd1dabb
SHA1 049cc69e3cdef1c2cbee60dae52c29db961e69de
SHA256 5603c1c0b916e32f8c640a51a50b424a6110a5a123ee390ed2a0354ae041eae9
SHA512 f314ebff2f70628e960f8bf13557ef886e757e41127ce88a8c7644814ce5579294fa12f4b05c16421f53c066ab2b5d8a1a71ef32d77b9a24342a953abf57469a

C:\Users\Admin\Downloads\ExportResize.xps

MD5 14137aa6e2daecb7b2122b9fa94d4069
SHA1 bdb6be73c7995e0576692fb17d6831a595d0be08
SHA256 5e7edbfa6f9d88b1c92c10c1df4020d2aa9d8133801c3bb87cad30902eec9ee3
SHA512 e80004ec68cbfe92c08bf8ff6a01f96efb4a75e592b23f51830810700809a3a6c26bf82e406af29aa9f1da2426fbd84671b53dcf0d5601907f179f4dd81f6d08

C:\Users\Admin\Downloads\ResetMeasure.cmd

MD5 ba54f700e9161077968c05d643ee461a
SHA1 2915d92eeeb8ab2c86dd6b719ecaaf21efa5b6ad
SHA256 9d05ab241dbc04b9754f377ef9f07c6f7275751f5b48819e1935efd26180586d
SHA512 17bf733ff6cd852167f7ea756e8716fac45f0c9894b8c774c40addc6f6198a4e7d3c8a8e9eefb3bf5d6105a617e0c18c5b3d02761dc4337e16537d041358da51

C:\Users\Admin\Downloads\CompareWait.csv

MD5 149246b437748e5b0e9013f4a9947d4c
SHA1 d9e92fa2a4b47567641dcc2109c8ec5075f0111b
SHA256 896011e29087d43b4be1d9347f11c3cc5a96cc2adc68a2e4004a27633529d728
SHA512 da94807efacae4cb55723d254ab35a01d93f3d4f7e1f0e89c00c8a08a286b869a1cbe2980a14f093c1208a33b7f6978f81870496717467aa6d2fe630cb6a53f2

C:\Users\Admin\Downloads\ResolveSend.mp4

MD5 f232aebc4c54f1429b66e4f3543fa307
SHA1 c9293a69f844a0cfddadd99c00b23a0e61c97520
SHA256 eb099f458cd0dea341600b37f0ce4ebd738caaf57663f239c14e6bd78b07f104
SHA512 e12556e7cd02ac9b935f7e076f9edb159a79ce3cf569288e6daeed73a4acc7aa434add3751523e8b96ddf7ac0d46b24a1797c4e747a137df67d86b8cbfaa3547

C:\Users\Admin\Downloads\UseExit.vsw

MD5 3090cba2357dac90932b3335d3505ad5
SHA1 e3fe199590817ea1ab8ad20a19ffbc3c8640974d
SHA256 c3c4de6eb9b240801e4323ebcc4c2dca6a4ab26194f8f170e36e12370cd9080f
SHA512 6b9992d7584d5eabf6208f0d375d76725053c96878ff1c70d9cedbe6016c559f1b9cd21d05eb46e27a79df13fb56d95b5c5e8040269ad0bd1304b140bb99ad28

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\f80f5f25-8dff-42b9-98bc-469e664f34f8.down_data

MD5 5683c0028832cae4ef93ca39c8ac5029
SHA1 248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256 855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512 aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a28bb0d36049e72d00393056dce10a26
SHA1 c753387b64cc15c0efc80084da393acdb4fc01d0
SHA256 684d797e28b7fd86af84bfb217d190e4f5e03d92092d988a6091b2c7bbbd67c1
SHA512 20940fee33aa2194c36a3db92d4fd314ce7eacc2aa745abec62aa031c2a53ba4ff89f2568626e7bd2536090175f8d045c3bb52c5faa5ecc8da8410ab5fc519f7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 554d6d27186fa7d6762d95dde7a17584
SHA1 93ea7b20b8fae384cf0be0d65e4295097112fdca
SHA256 2fa6145571e1f1ece9850a1ac94661213d3e0d82f1cef7ac1286ff6b2c2017cb
SHA512 57d9008ccabc315bd0e829b19fe91e24bab6ef20bcfab651b937b0f38eec840b58d0aed092a3bbedd2d6a95d5c150372a1e51087572de55672172adc1fc468a7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 894bdc6e33e275a9a8457eae02c49959
SHA1 1ef7de959a98569c7e85dc7c064a2f5bd46d8b6f
SHA256 6e67173eebc965ed5a9e3f8f26fed38630fcb92847fa751324d293a8f818282b
SHA512 c5ebc7e8bba4c1ba16b09190e692e698210a9ba1a34b986925db61ab983a9f58e8539aff3dcf31cd580c1137ba93e4129c45f6ba4f2d05af780f8e55b81f9074

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c6baac27e301e958b39a1bd4a8256b00
SHA1 5f4bfc99f6f0543ed004258136e4cbca45153531
SHA256 e751cd91f1b836f976da6ed2de857b3518f7719cd05cb3b7a6b3e5e70c9dc4b4
SHA512 2c92df1857cb8fd6412959af938e467b412c352e0dcb666eef9c48dda1d6a3197ccf6e95c72b562585252f0479fbd0d00331ac606d11b7e1050c1555a5f7298d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 6b7b88644462dcb3d97506311656a3dc
SHA1 8a7321bffc8963ffdde703ace665176986156b3e
SHA256 90f04d9f6ee4a2aaa3a073107f0caba048e04aeb4bcc5439dd315b92b6bbc181
SHA512 ca7e099d9496aee67cf8c0e594a2c6dc601951f82fe303220f3b74ad252313dd0221078fae9e30ebabda27644cff27a443eca740747edae6289f650d2d1216ba

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009

MD5 12e3dac858061d088023b2bd48e2fa96
SHA1 e08ce1a144eceae0c3c2ea7a9d6fbc5658f24ce5
SHA256 90cdaf487716184e4034000935c605d1633926d348116d198f355a98b8c6cd21
SHA512 c5030c55a855e7a9e20e22f4c70bf1e0f3c558a9b7d501cfab6992ac2656ae5e41b050ccac541efa55f9603e0d349b247eb4912ee169d44044271789c719cd01

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 91f44283cc0b8890f4e7907672af4297
SHA1 e345a5bd5486c5f9dcd7c0700f568e2b12964a4b
SHA256 97962a72bf0e8400d9c2355d95c4c8008d1ab112ad884f528f821f71e4bfb8ce
SHA512 b876fd401dedb1ddbd119d0d47e6274ebb6c18789dbb20e927148b32e1ae2aefb7b1e5c4a2741bc9f98d6522515c8a429a7735efd567a92442612003747ed177

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 c7eb0937560047f8a9218780a1d6360f
SHA1 e837612f9d6a300985024aa59c126d786b03803f
SHA256 861cb41ff3344c29983192e0e22fb4e1f144153b0e6854cd1ae93167ada58d5e
SHA512 60e8b373f8e1f0a2db1af70d351b601b7ba127e1b9a805e9f7aa8b548e9235d85ef25b247218e54beaaaa0af91bf7d92c3267d6ddbebfd165f9aca084d0090ab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 101fd06bf6569cbc2c81363eaaec25de
SHA1 79c1dde1996754f11623a75836faafc96ec58d7f
SHA256 a462a3730a9e46d6e01d62f87d29c84fcc5e7f53e9aa855772e657c5171c3524
SHA512 7d203a9f219e9804c2618fcaf6c6291f70505a61cf7e0a78dfa48c4a871ae059e00e6d309ed723a0f1c537bf06db3c60a08ab69de8faf690e26ea89033d94b0a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8f1fe9ed1ce08fc7796fce5bee66a388
SHA1 76f58503429cf0620e6a6c1403705af4f3f4e884
SHA256 97fdaf2b09a45352953f8c2057f309688b66cbdc64248cee20f2d92a67b5ce8b
SHA512 9736108948cccb69bb7e288e9e7f6465cc9362d8506f3ea8290a69e039ac83fa9e369791f83ce3b99ee2759bf0ff3c2fc0bea65dec162ee3d63cf37c9cd60ef0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 4016def982cf1c510b37a8c095b00379
SHA1 53465bc62cd2211846a3c1a458863989fac8ec40
SHA256 c380332027736c2be25250eaa6ac1fdb5a0e8199e58d221a899aeab1270151f5
SHA512 4a448baf33772f1ca1a8e711745a0f941fc0f2a2b2c7a1a696e179f7b7909b13077ed53a6a4f2706cd42766574ad1a679533657fe3f7add5ba60a07c0f10a146

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 d83dce1290083ccbe35886219746f95c
SHA1 236e99a5744325c3ca49545fd025102a1d03b8dd
SHA256 c36252de172f3656b09f734decdc991cf9764c39d484d4aa044093581edf170a
SHA512 6833a0b18c463137aa8826a606c88f16eb4bf94885d492be20722acb2fb52e07a47dca327df0721560696382c7cfafb133bff1b44598800a4896953bc422bf80

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 869caccf56d3935aabd72516791f25bc
SHA1 9f89b21d3adeae1dd4272a6af5dacdaf6c9b3f02
SHA256 1ddc9a9c0b5b6865f6cc6e43a72b8cf82ad50940a387f2eed108411b6008d116
SHA512 efb58f32e9510eca30de647abd28d2cf4b8aabf497982e0f9e4161884fdd55970f4af888708df6105501c16ddda4310e6ecb39972b511e7e4c0fb9e676e5acc9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 4af7fa51c3819e96d4ac5872a2410522
SHA1 ba17c99721c1c1ca2adf16f716289719ece281a5
SHA256 2662a43af0b1e867dd950a99eb43d3c405c299a9008ea110d1eb13ced01e4ab7
SHA512 34d8a1699d1de97cf16a1fae3478363d7cd77c02bab31f1361f9ed585b379b8209d8648d3394cf3ee2a0ac0c2dccb9e460d5e40134ebb28efb57375ce37a1094

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 c4052f00cbe8edc5f7c4fc6ff891d077
SHA1 aea0a19aa816db7ba3e2df8f8f51bd1d3fa1e321
SHA256 535937e024cb9ea3b92779c7a1e4d0f4aa9d97c9bf35e04afc2b087ed060f472
SHA512 a1105f42578eb1551b5c3240848dc34a882a15e83ec9cc96c81c731973c43a1fb8096372a7a7fb8fbfe587f2bcb77873f23f0b6fc76f505334b0ed649c5db333

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 947285c455e2e479e51a069f33576b5c
SHA1 1b922533b1f9b3c1e86191ab225073e517e46d08
SHA256 01fed052267bf0c65af45e028221d155d63d9a9c8031b0dda1496851715123ab
SHA512 c3a96a642f9cb6954409b8b5c9260903a4db2ba61c0cabe5005160639e1f178f0a891246807874dc4053b6db0ee9de6ad7fa9e4d85961dcf97800af7f9c50218

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 af72a661ac5dacfdcb04ee9afb15a69c
SHA1 63fdca1ded7edd77a0dc96482faa785567cce9e7
SHA256 3c765f08ea7363974f37cd37c878e62b432fbf5da89f918c4bd71f3b4a9ef7e4
SHA512 de9c9d2be03470d2204418202fa1f4186ea66c04578e40ea50b22391dfe5201d6c75e8bf65c1fb43cea3e0a4b65287fd487bb8930b293ac8b9ebb9254eb8915d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5bc56f.TMP

MD5 17979ad7046dc874dba706fe852b5485
SHA1 d90e933e28bb9bfb69aef729d920b2dea5224571
SHA256 5a2cba661156910f288cc3675e81dfbd68f78f31c17d829b5b52a4ab2ea8ef6c
SHA512 06ffbe075539f315c729dc107abcb8a529803e9d2748ad861d304344687b4eea9005c52b0a283c1e09565dd6c4677ff8a093d4864c2660c1f7a31169bb9b457b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

MD5 f0de9a98dbdfa8c02742ce6d92fb2524
SHA1 cdec682aeb9e39edccc2374dab26f04db754a8b5
SHA256 faf4294f27a542b0f9ea2a7cb2711529ab027cd84a5f5badfae752100855e6be
SHA512 856fc9ab199997e69a9487372bc0083564f7115b3e0678cf1d542b9864e9a88d5ffb85697fd93538dc9439071e3bcd4b8bccbfc610e1a45de104d6362d8adcd9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

MD5 2d3fbed6ddd719fcc1bfb500b612fcec
SHA1 cd91b795dde806ac8a38e51ccb6e8bad8e57da1b
SHA256 b2566b646f02df4ce30b05d8223b78130a719d4ec9e4794a0106c371ade33cc7
SHA512 a870e514b325d6fdc4d154438a8dd333c7ab46e545c1b27ac4869d9f1d8594ca1cdc530f5e96c835220ddad4e1cef841673696978031b5237e783972aee701d1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 262b98aa500ad46de74dc1eca39e7c82
SHA1 9b652b055d7ade65bb9fb538a58a0da0a2b343bc
SHA256 97b3f677f9ca44320bb64698a4e15ae91ed853737ad54dc32bb1ffdedfd53504
SHA512 e480f61613ae6cf9a5b6c5ede2ffad85fccd2e4d675b2dd44c12f9df60784c9d4c0ae0a7aedaf4f77ea1831c95a025d7ffd188daeb4ec35b841856119a1e9b39

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 28bfab89c712ae6364af1990970ba0f9
SHA1 c9563240d56c1b9b10be616d062576b37309c1ba
SHA256 9f5b2fa0287e7c860d68c12b3e0a66ec773d7588ba88cf33401f5b2985d87bad
SHA512 cabcb7cef78075ed6223042f5ed35171fc51d97fdf28fd9abcdf3ecfbc98d8e5b3a76650c15e1aa4610cd004cba2a4a992aeb4e06b78ad207045d472566c4cf1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 dd2a79db9204fba9971cd9aeac94abb9
SHA1 95740863706aa73edf361b7d5abe5c50fe63952e
SHA256 31cb6fc9a40fc741f73e9c44409074f6e6dcfa95ff8c6383a26f383bd9fbed82
SHA512 850ca0b7ac16e397ec19baa50f083f647d6eba789bb79d4a6c6b671165ee02b67da3fa73c10fb271159793f7d3fa1c13abb2ff73be72ed2a7afcea80c01576db

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 7def1aa00fd4ba3830768f80871872a3
SHA1 6bcb1af0a00c26e5a75a375143e1df0c17292bee
SHA256 e66d543a4abf02e0f59ceea840c8230b04684bf0443053ff27f1ec01bd9c7a8a
SHA512 9c664a7e9da33df501609771428f342efc6aacdd16f8663886918574e5a02e83538bb9ee20b5d47ab238c349ca0c08666847074374e84299c99571debd0321a2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 41d4486d23713f1e103adb189d331b66
SHA1 102227601b79df65df162ef22770a66603c9731d
SHA256 8b05df7e8d58a986305cfa6cb8789acabe6cbc5f3fc3e44e3f53fc0fc4d7f7fb
SHA512 91d8cff0f1ae317b4615fefd7f53c3b645c53bb3b87f497484f6b8514d074eca382408ca8215e0a51d0c8ab906ae2313eb15f1b9c14d63c2968c00717766cb63

memory/1336-694-0x000002C89C9C0000-0x000002C89C9E0000-memory.dmp

memory/1336-812-0x000002C8AF5B0000-0x000002C8AF5D0000-memory.dmp

memory/1336-802-0x000002C89EFE0000-0x000002C89F000000-memory.dmp

memory/1336-913-0x000002C8B0640000-0x000002C8B0740000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\P83QGHQW\login.live[1].xml

MD5 c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA1 35e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256 b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA512 6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

memory/1336-1849-0x000002C89EF40000-0x000002C89EF60000-memory.dmp

memory/1336-2063-0x000002C8B40E0000-0x000002C8B41E0000-memory.dmp

memory/1336-2250-0x000002C8B3380000-0x000002C8B33A0000-memory.dmp

memory/1336-2269-0x000002C8B2BD0000-0x000002C8B2BF0000-memory.dmp

memory/1336-2387-0x000002C8B1D20000-0x000002C8B1E20000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\INetCache\I3NL4R3M\microsoft_logo_564db913a7fa0ca42727161c6d031bef[1].svg

MD5 ee5c8d9fb6248c938fd0dc19370e90bd
SHA1 d01a22720918b781338b5bbf9202b241a5f99ee4
SHA256 04d29248ee3a13a074518c93a18d6efc491bf1f298f9b87fc989a6ae4b9fad7a
SHA512 c77215b729d0e60c97f075998e88775cd0f813b4d094dc2fdd13e5711d16f4e5993d4521d0fbd5bf7150b0dbe253d88b1b1ff60901f053113c5d7c1919852d58

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\LocalState\_sessionState.json

MD5 a19cd759b78f0257278ea48e6b417618
SHA1 2994a307e3609c3dabc52b7ea8a2cba0a0257a3a
SHA256 89e4e79a21e5bfff3794d477d0997c976a66eca9ad91276bb08c77efb9953cf1
SHA512 67f93708e83a73c52259503532ab9a46eacc67586080a4b1951f5e093685cd6fb26aed7218cc7d3b831f9afee0cd18c03debbbd8af6b71983c8a05b6ecada0a7

memory/1700-2861-0x000002089C280000-0x000002089C290000-memory.dmp

memory/1700-2877-0x000002089C380000-0x000002089C390000-memory.dmp

memory/1700-2893-0x00000208A4970000-0x00000208A4971000-memory.dmp

memory/1700-2894-0x00000208A4970000-0x00000208A4971000-memory.dmp

memory/1700-2895-0x00000208A4970000-0x00000208A4971000-memory.dmp

memory/1700-2896-0x00000208A4990000-0x00000208A4991000-memory.dmp

memory/1700-2897-0x00000208A4990000-0x00000208A4991000-memory.dmp

memory/1700-2898-0x00000208A4990000-0x00000208A4991000-memory.dmp

memory/1700-2899-0x00000208A4990000-0x00000208A4991000-memory.dmp

memory/1700-2900-0x00000208A4990000-0x00000208A4991000-memory.dmp

memory/1700-2901-0x00000208A4990000-0x00000208A4991000-memory.dmp

memory/1700-2902-0x00000208A4990000-0x00000208A4991000-memory.dmp

memory/1700-2903-0x00000208A4990000-0x00000208A4991000-memory.dmp

memory/1700-2904-0x00000208A45C0000-0x00000208A45C1000-memory.dmp

memory/1700-2905-0x00000208A45B0000-0x00000208A45B1000-memory.dmp

memory/1700-2907-0x00000208A45C0000-0x00000208A45C1000-memory.dmp

memory/1700-2910-0x00000208A45B0000-0x00000208A45B1000-memory.dmp

memory/1700-2913-0x00000208A44F0000-0x00000208A44F1000-memory.dmp

memory/1700-2921-0x00000208A46F0000-0x00000208A46F1000-memory.dmp

memory/1700-2923-0x00000208A4700000-0x00000208A4701000-memory.dmp

memory/1700-2924-0x00000208A4700000-0x00000208A4701000-memory.dmp

memory/1700-2925-0x00000208A4810000-0x00000208A4811000-memory.dmp

memory/1700-2926-0x00000208A4710000-0x00000208A474B000-memory.dmp