Analysis Overview
SHA256
0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e
Threat Level: Known bad
The file 0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e was found to be: Known bad.
Malicious Activity Summary
Remcos
Hawkeye family
Remcos family
HawkEye
Detected Nirsoft tools
NirSoft WebBrowserPassView
NirSoft MailPassView
Uses browser remote debugging
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
Drops file in System32 directory
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Checks SCSI registry key(s)
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-27 17:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-27 17:57
Reported
2024-11-27 18:00
Platform
win7-20240903-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Remcos
Remcos family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-E10MWO = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinUpdate\\WinUpdate.exe\"" | C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2024 set thread context of 2260 | N/A | C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe | C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe
"C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe"
C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe
"C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe"
C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"
C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"
C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"
C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"
C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"
C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"
Network
Files
memory/2024-0-0x000000007429E000-0x000000007429F000-memory.dmp
memory/2024-1-0x0000000001120000-0x0000000001220000-memory.dmp
memory/2024-2-0x0000000074290000-0x000000007497E000-memory.dmp
memory/2024-3-0x0000000000210000-0x0000000000222000-memory.dmp
memory/2024-4-0x000000007429E000-0x000000007429F000-memory.dmp
memory/2024-5-0x0000000074290000-0x000000007497E000-memory.dmp
memory/2024-6-0x0000000004F20000-0x0000000004FE2000-memory.dmp
memory/2260-16-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2260-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2260-22-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2260-24-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2260-14-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2260-12-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2260-11-0x0000000000400000-0x000000000047F000-memory.dmp
\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
| MD5 | 1e3d5cf8e89402325bca1e6a1329f7c7 |
| SHA1 | bc31f499894600db104ca347f9e9bbcb6a66c539 |
| SHA256 | 0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e |
| SHA512 | 8a6297f965cd6228e6b63fb3c4c2cd88db6488d8459a94e6f20706454c4af4fab793abe850fe16d1b18149bef0d54240fcd4e1c25c6a42fb8ba36494a598cdbc |
memory/2260-9-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2260-20-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2260-7-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2260-30-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2024-29-0x0000000074290000-0x000000007497E000-memory.dmp
memory/2656-35-0x0000000000320000-0x0000000000420000-memory.dmp
memory/2656-36-0x0000000000430000-0x0000000000442000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | f0d27b882dd6e1c9388b5c6f828bfe0c |
| SHA1 | ceb56b27b6ccc3525007266e9042b9bc8b99beb8 |
| SHA256 | 45629ca452a66a9c50740197ad12c3cf33d1b830d9d521df38d3e2e65dde605a |
| SHA512 | 0c032e42a11b2ceeee5eea9e67dd15cd582519ce6706804c71a240a513c6f1edb202b224c3035520c66bb0a3a2ef229966214bac31023b9c459fde9f63f2f260 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-27 17:57
Reported
2024-11-27 18:00
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
HawkEye
Hawkeye family
Remcos
Remcos family
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Uses browser remote debugging
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\Chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\Chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\Chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\Chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-E10MWO = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinUpdate\\WinUpdate.exe\"" | C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-E10MWO = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinUpdate\\WinUpdate.exe\"" | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_adeb6424513f60a2\input.PNF | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_b748590104fe1c15\machine.PNF | C:\Windows\SysWOW64\dxdiag.exe | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\SysWOW64\dxdiag.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\Chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\Chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\Chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1" | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2437139445-1151884604-3026847218-1000\{F7A01854-C047-4FD6-90CC-BE0676B4370C} | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B} | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class" | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable" | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class" | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class" | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\SysWOW64\\dxdiagn.dll" | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1 | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject" | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7} | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1" | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1" | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class" | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32 | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32 | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2437139445-1151884604-3026847218-1000\{1EEDB7B9-4AFC-418C-920A-CD6B05CF8852} | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class" | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1 | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject | C:\Windows\SysWOW64\dxdiag.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID | C:\Windows\SysWOW64\dxdiag.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\Chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dxdiag.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe
"C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe"
C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe
"C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe"
C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe
"C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe"
C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe
"C:\Users\Admin\AppData\Local\Temp\0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e.exe"
C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"
C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"
C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"
C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe"
C:\Program Files\Google\Chrome\Application\Chrome.exe
--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe /stext "C:\Users\Admin\AppData\Local\Temp\ojkchfcrfholijuascxcz"
C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe /stext "C:\Users\Admin\AppData\Local\Temp\qdpvaxnstpgqsxqejmkecbxv"
C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe /stext "C:\Users\Admin\AppData\Local\Temp\qdpvaxnstpgqsxqejmkecbxv"
C:\Program Files\Google\Chrome\Application\Chrome.exe
"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc4f1bcc40,0x7ffc4f1bcc4c,0x7ffc4f1bcc58
C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe /stext "C:\Users\Admin\AppData\Local\Temp\bfvnbqymhxyvudeqtxexnnsmkrmh"
C:\Program Files\Google\Chrome\Application\Chrome.exe
"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1924,i,9186735364933219260,5075835901409249871,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1920 /prefetch:2
C:\Program Files\Google\Chrome\Application\Chrome.exe
"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2104,i,9186735364933219260,5075835901409249871,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2124 /prefetch:3
C:\Program Files\Google\Chrome\Application\Chrome.exe
"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,9186735364933219260,5075835901409249871,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2268 /prefetch:8
C:\Program Files\Google\Chrome\Application\Chrome.exe
"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,9186735364933219260,5075835901409249871,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3200 /prefetch:1
C:\Program Files\Google\Chrome\Application\Chrome.exe
"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3180,i,9186735364933219260,5075835901409249871,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3236 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\Chrome.exe
"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4540,i,9186735364933219260,5075835901409249871,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4524 /prefetch:1
C:\Windows\SysWOW64\dxdiag.exe
"C:\Windows\System32\dxdiag.exe" /t C:\Users\Admin\AppData\Local\Temp\sysinfo.txt
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffc4f0746f8,0x7ffc4f074708,0x7ffc4f074718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2224,3237396218190211687,12823806286449883448,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2236 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2224,3237396218190211687,12823806286449883448,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2224,3237396218190211687,12823806286449883448,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2224,3237396218190211687,12823806286449883448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2224,3237396218190211687,12823806286449883448,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2224,3237396218190211687,12823806286449883448,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2224,3237396218190211687,12823806286449883448,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe /stext "C:\Users\Admin\AppData\Local\Temp\rjecbqp"
C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe /stext "C:\Users\Admin\AppData\Local\Temp\udjvbianwc"
C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe /stext "C:\Users\Admin\AppData\Local\Temp\efwfublgskpuq"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 45.138.48.25:3333 | tcp | |
| US | 8.8.8.8:53 | 25.48.138.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| DE | 45.138.48.25:3333 | tcp | |
| DE | 45.138.48.25:3333 | tcp | |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| DE | 45.138.48.25:3333 | tcp | |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 234.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.16.217.172.in-addr.arpa | udp |
| GB | 172.217.16.228:443 | www.google.com | udp |
| DE | 45.138.48.25:3333 | tcp | |
| DE | 45.138.48.25:3333 | tcp | |
| N/A | 127.0.0.1:9222 | tcp | |
| DE | 45.138.48.25:3333 | tcp | |
| N/A | 127.0.0.1:9222 | tcp | |
| DE | 45.138.48.25:3333 | tcp | |
| US | 8.8.8.8:53 | 57.110.18.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:9222 | tcp | |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| DE | 45.138.48.25:3333 | tcp | |
| N/A | 127.0.0.1:9222 | tcp | |
| N/A | 127.0.0.1:9222 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 101.210.23.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:9222 | tcp | |
| DE | 45.138.48.25:3333 | tcp | |
| DE | 45.138.48.25:3333 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| DE | 45.138.48.25:3333 | tcp | |
| DE | 45.138.48.25:3333 | tcp | |
| DE | 45.138.48.25:3333 | tcp | |
| DE | 45.138.48.25:3333 | tcp | |
| DE | 45.138.48.25:3333 | tcp | |
| DE | 45.138.48.25:3333 | tcp | |
| DE | 45.138.48.25:3333 | tcp | |
| DE | 45.138.48.25:3333 | tcp | |
| DE | 45.138.48.25:3333 | tcp | |
| DE | 45.138.48.25:3333 | tcp | |
| DE | 45.138.48.25:3333 | tcp | |
| DE | 45.138.48.25:3333 | tcp | |
| DE | 45.138.48.25:3333 | tcp | |
| DE | 45.138.48.25:3333 | tcp | |
| DE | 45.138.48.25:3333 | tcp | |
| DE | 45.138.48.25:3333 | tcp | |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
Files
memory/4884-0-0x000000007490E000-0x000000007490F000-memory.dmp
memory/4884-1-0x0000000000F20000-0x0000000001020000-memory.dmp
memory/4884-2-0x0000000005F80000-0x0000000006524000-memory.dmp
memory/4884-3-0x0000000005A70000-0x0000000005B02000-memory.dmp
memory/4884-4-0x0000000005A20000-0x0000000005A2A000-memory.dmp
memory/4884-6-0x0000000005D30000-0x0000000005DCC000-memory.dmp
memory/4884-5-0x0000000074900000-0x00000000750B0000-memory.dmp
memory/4884-7-0x0000000005A60000-0x0000000005A72000-memory.dmp
memory/4884-8-0x000000007490E000-0x000000007490F000-memory.dmp
memory/4884-9-0x0000000074900000-0x00000000750B0000-memory.dmp
memory/4884-10-0x0000000006530000-0x00000000065F2000-memory.dmp
memory/2120-11-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2120-14-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3936-15-0x00000000026A0000-0x00000000026D6000-memory.dmp
memory/2120-12-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3936-17-0x0000000074900000-0x00000000750B0000-memory.dmp
memory/3936-18-0x0000000005150000-0x0000000005778000-memory.dmp
memory/4884-22-0x0000000074900000-0x00000000750B0000-memory.dmp
memory/3936-21-0x0000000002650000-0x0000000002660000-memory.dmp
memory/3936-20-0x0000000002650000-0x0000000002660000-memory.dmp
memory/2120-19-0x0000000000400000-0x000000000047F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WinUpdate\WinUpdate.exe
| MD5 | 1e3d5cf8e89402325bca1e6a1329f7c7 |
| SHA1 | bc31f499894600db104ca347f9e9bbcb6a66c539 |
| SHA256 | 0d29f5c648cbd373d3b46738e2a00917b156053e4eafb1e47481a122cedf0a1e |
| SHA512 | 8a6297f965cd6228e6b63fb3c4c2cd88db6488d8459a94e6f20706454c4af4fab793abe850fe16d1b18149bef0d54240fcd4e1c25c6a42fb8ba36494a598cdbc |
memory/3936-32-0x0000000004EE0000-0x0000000004F02000-memory.dmp
memory/2120-35-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3936-34-0x0000000005970000-0x00000000059D6000-memory.dmp
memory/3936-33-0x0000000005080000-0x00000000050E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0oyckfky.gx3.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3936-46-0x00000000059E0000-0x0000000005D34000-memory.dmp
memory/3936-47-0x0000000005FB0000-0x0000000005FCE000-memory.dmp
memory/3936-48-0x0000000005FF0000-0x000000000603C000-memory.dmp
memory/3936-49-0x0000000006590000-0x00000000065C2000-memory.dmp
memory/3936-50-0x0000000071920000-0x000000007196C000-memory.dmp
memory/3936-60-0x0000000007190000-0x00000000071AE000-memory.dmp
memory/3936-61-0x00000000071D0000-0x0000000007273000-memory.dmp
memory/3936-62-0x0000000007920000-0x0000000007F9A000-memory.dmp
memory/3936-63-0x00000000072E0000-0x00000000072FA000-memory.dmp
memory/3936-64-0x0000000007350000-0x000000000735A000-memory.dmp
memory/3936-65-0x0000000007560000-0x00000000075F6000-memory.dmp
memory/3936-66-0x00000000074E0000-0x00000000074F1000-memory.dmp
memory/3936-67-0x0000000007510000-0x000000000751E000-memory.dmp
memory/3936-68-0x0000000007520000-0x0000000007534000-memory.dmp
memory/3936-69-0x0000000007620000-0x000000000763A000-memory.dmp
memory/3936-70-0x0000000007600000-0x0000000007608000-memory.dmp
memory/3936-73-0x0000000074900000-0x00000000750B0000-memory.dmp
memory/4168-74-0x00000000051D0000-0x00000000051E2000-memory.dmp
memory/3188-80-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3188-85-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3188-83-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3188-79-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3188-86-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3188-87-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3188-88-0x0000000000400000-0x000000000047F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
memory/1916-99-0x0000000006230000-0x0000000006584000-memory.dmp
memory/3188-100-0x0000000000400000-0x000000000047F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 05fdefb4980c87b82c4c4a25601234bd |
| SHA1 | e05f93aa223a928b00fff3ba3d812c08ecbc9456 |
| SHA256 | 9a54785e07ca675428dc1b06722e0510c21368325c6a95ce5e38714556188a8a |
| SHA512 | 64b73bece05cfbf6bc254ac755e1505c99dc63b20050010778d576339549351d53fc89054ddf417957a0ca3562ea34056005eaab6167018146a688ea044cc33d |
memory/3188-102-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3188-103-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3188-104-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3188-107-0x0000000010000000-0x0000000010034000-memory.dmp
memory/1036-119-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2732-123-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4788-128-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4788-125-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1036-124-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4788-127-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2732-122-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2732-120-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1036-116-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1916-115-0x0000000006740000-0x000000000678C000-memory.dmp
memory/3188-111-0x0000000010000000-0x0000000010034000-memory.dmp
memory/3188-110-0x0000000010000000-0x0000000010034000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State
| MD5 | 4e7fc08dd4789c93c9cbff95d0fa97eb |
| SHA1 | f08904aef3d78a1819021e4db14fbd190c8dbc90 |
| SHA256 | a185f80dfa3b4bd9942f4230d8706fd106844b8ba4392f29561fb326e217b3b5 |
| SHA512 | dd4c2f2393e6ca50749d1b6ef51c81612cc381a83a05fb4fbf0b8c3a9755ee22944a22e3f69c86a6ee8054d9228e181c595bd9a2942273035a28c96596d4c53d |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences
| MD5 | ebc04efe08c5b479d966dcc4098ad9fd |
| SHA1 | 982c038afc8f5c796145ad9f244dd630ed49ed85 |
| SHA256 | 0cff7fb1fa385668dd0006c0ae569a42ade53e94f948aef3092a176482374144 |
| SHA512 | a8d8f13c25f0c8c3e2576043c84aa4224a188483dcef98d8edb9bc0c83d4232e74e444aba2565a7c76192fc3ad71de2ed4c6b9ec68426f16eee788d065bf143b |
\??\pipe\crashpad_1188_QKFXMMQFCHEVYMJM
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1916-170-0x00000000078A0000-0x0000000007943000-memory.dmp
memory/1916-147-0x0000000071660000-0x00000000716AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies
| MD5 | ca5140511af74322c725bb305000e0fd |
| SHA1 | 000c141e937864f0210cd6ddcf2503f73b0ea074 |
| SHA256 | 18d1a4b935b714f0e0efc39e97b3ce3327e0238a84f75247cfa0014350297e67 |
| SHA512 | 429498bc61e1e84e98dfb1eaa8b11cfe3f7a9814e5d89c547b02d2c54778e19f0463c41f5e662a060e516651c37139e4023dfbfc1119c7bbe8d2ea31f24ff490 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
memory/3188-204-0x00000000045B0000-0x00000000045C9000-memory.dmp
memory/3188-200-0x00000000045B0000-0x00000000045C9000-memory.dmp
memory/3188-203-0x00000000045B0000-0x00000000045C9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ojkchfcrfholijuascxcz
| MD5 | ac300aeaf27709e2067788fdd4624843 |
| SHA1 | e98edd4615d35de96e30f1a0e13c05b42ee7eb7b |
| SHA256 | d2637d58bb120dc6fefe2f38d6e0d4b308006b8639106a7f9e915fa80b5cc9d9 |
| SHA512 | 09c46e708f9d253dccd4d943639d9f8126f868ae3dcd951aad12222bb98b5d3814676f878c8391b9bdab5dedcf5b9e9eaeb2ad3ffec57bda875198735586d4df |
memory/3188-225-0x0000000000400000-0x000000000047F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_3
| MD5 | 41876349cb12d6db992f1309f22df3f0 |
| SHA1 | 5cf26b3420fc0302cd0a71e8d029739b8765be27 |
| SHA256 | e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c |
| SHA512 | e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_2
| MD5 | 0962291d6d367570bee5454721c17e11 |
| SHA1 | 59d10a893ef321a706a9255176761366115bedcb |
| SHA256 | ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7 |
| SHA512 | f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_1
| MD5 | d0d388f3865d0523e451d6ba0be34cc4 |
| SHA1 | 8571c6a52aacc2747c048e3419e5657b74612995 |
| SHA256 | 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b |
| SHA512 | 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_0
| MD5 | cf89d16bb9107c631daabf0c0ee58efb |
| SHA1 | 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b |
| SHA256 | d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e |
| SHA512 | 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0 |
memory/1916-247-0x0000000007BE0000-0x0000000007BF1000-memory.dmp
memory/1916-256-0x0000000007C20000-0x0000000007C34000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
memory/3188-270-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3188-271-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3188-272-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3188-273-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3188-275-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3188-276-0x0000000000400000-0x000000000047F000-memory.dmp
memory/3636-277-0x0000000000930000-0x0000000000931000-memory.dmp
memory/3636-279-0x0000000000930000-0x0000000000931000-memory.dmp
memory/3636-278-0x0000000000930000-0x0000000000931000-memory.dmp
memory/3636-289-0x0000000000930000-0x0000000000931000-memory.dmp
memory/3636-288-0x0000000000930000-0x0000000000931000-memory.dmp
memory/3636-287-0x0000000000930000-0x0000000000931000-memory.dmp
memory/3636-286-0x0000000000930000-0x0000000000931000-memory.dmp
memory/3636-285-0x0000000000930000-0x0000000000931000-memory.dmp
memory/3636-284-0x0000000000930000-0x0000000000931000-memory.dmp
memory/3636-283-0x0000000000930000-0x0000000000931000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat
| MD5 | 120b13a5e5053448e6ccaaeaf58245f8 |
| SHA1 | c1d6160a1eef4e60388dd614376e604687a60e5a |
| SHA256 | ca8eac8c9714e6e8265b87e8510b1bac40079d6257a85e2551029596d43d6c11 |
| SHA512 | ecb4298a5aa388b54ebea120a56f7790f2a7e4fa9114f25826914494a61bb1a96bcdcac026f8c220b10cf17a5d1245504c55cc921fc46f80d75ca280afce2920 |
C:\Users\Admin\AppData\Local\Temp\sysinfo.txt
| MD5 | bd73f49096939a99d2744aaa159934c0 |
| SHA1 | 040c188c15800343e05faba00718047e3e8f78a2 |
| SHA256 | 01dd13a31cee72fab6770093fd6db3548a97e481d61fd3be84292cc2fd5527dc |
| SHA512 | fbd72b9be37088bea1e4a6bcdf6102197aa36a8e7a4343dbb3311496ff1a87b4467c4f09563e5c6bfa50763120e79bfb378afe109f27f14ea88952700620eaab |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat
| MD5 | 9e4e94633b73f4a7680240a0ffd6cd2c |
| SHA1 | e68e02453ce22736169a56fdb59043d33668368f |
| SHA256 | 41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304 |
| SHA512 | 193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat
| MD5 | 182389587d072e6e23968202c9472e1d |
| SHA1 | 7845c8ade4ef69ea5bdf9050f68a3bbd8e26a1d2 |
| SHA256 | c1ec9b6291d064fb3ba81e80de6160c2f95cbeeb9fcf6a1761058f8a8fc2de19 |
| SHA512 | 9033a14ee0f6dfd56ad56dc8882a2e5d2ebfdcc66517cbca9c5e6b237095c9d08f0433bce8e2de4d5471c34d9734105cf56044f2c6533266a489e6c408437f76 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat
| MD5 | 6b4c567bc85577f2a6a845916446b600 |
| SHA1 | fa4e6802038888c2641de47efdd7a10b3e49ec23 |
| SHA256 | 42be63c53e2790080c2b45c2a3e61589677007ac43686ab9378955707011084a |
| SHA512 | 69b55194e91745075bdbf8db0cfa977b7701b8dc360649542bbb6b9643db32bc248fa589bf387175748af0263a158ecd341e5ed2d5619cd0880d51986a115f7c |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State
| MD5 | 774e69ab9061df55fcaacb61b7c36e95 |
| SHA1 | 069db90e96c038853d7d56a9432077f7db91606d |
| SHA256 | ccc7f9190449d8cede247bde8289d606f3f8667732fc4b08c0742fafee44f01e |
| SHA512 | 9425772aaf2b0a6247696c02051f4a6e83638e10fb44e4d2afb5cbe1798991c3bc1264a3054ab70e15b5c1371ca3553aa15f5c05d3ca244a24a8fdec20ca0d2e |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Last Version
| MD5 | 838a7b32aefb618130392bc7d006aa2e |
| SHA1 | 5159e0f18c9e68f0e75e2239875aa994847b8290 |
| SHA256 | ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa |
| SHA512 | 9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000003.log
| MD5 | 90881c9c26f29fca29815a08ba858544 |
| SHA1 | 06fee974987b91d82c2839a4bb12991fa99e1bdd |
| SHA256 | a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a |
| SHA512 | 15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Data
| MD5 | f083762bcffeade3b6ed33596419512f |
| SHA1 | a7480e5812bd1e2aaf9574f2f097bc2dc62c5920 |
| SHA256 | a6eca5d92b84316584edda92c8166b85a0714e8ae4cff4997b519c9a4b4a2131 |
| SHA512 | 24776c63ef67d1908d0d0a56943e01564678c8c8705e9aae6d69172848476d8a56f5533ee68832c754fe7de7577d7c6c4acabbee2cec073f5b65f0951a6a9642 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000003.log
| MD5 | 148079685e25097536785f4536af014b |
| SHA1 | c5ff5b1b69487a9dd4d244d11bbafa91708c1a41 |
| SHA256 | f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8 |
| SHA512 | c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\LOG
| MD5 | 2acebf927006b331b8e0cba5db3bf70c |
| SHA1 | eb1c88769dc694740cf679b76ccfa290ca3b617e |
| SHA256 | f6d20a84f9fa923ec2317f9d0a84ada39d4092039a97ab4bf9a0c6e5c2991f1e |
| SHA512 | a399fbd0204f33cd34b1408ffd88b8104205a47269155ca28f2f52b83f0dcd2ea675e97e2487904cf2f323462aa078367925faaa423777eb7161e45e89b01559 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Visited Links
| MD5 | 2cb4980104631876e8992811c812f338 |
| SHA1 | afb4b4bc82520025ef7ed9c2679b90518d72138d |
| SHA256 | 8b3c0378d7f2cd4d16c554337e62b8aafe030f9600c19d2e4fa85302255756f1 |
| SHA512 | 4ae91fb4be7becaaf8f8a0c57ca91a376285589cbd7cfa02dd577d4989505985b9d228b136165d137240b0a9b49e574911eef6af2fd6b613708ca02c4baf1e32 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\LOG
| MD5 | 5af98e82c9e2abd0d1cb01f1c3aeef1b |
| SHA1 | 0dab3a005cb70ef91d0b5ec55d9d2167b7cc6f96 |
| SHA256 | 2b4705440c11aeafeb2642d352259f73182e517afcd0a3f9766a774f74c004bf |
| SHA512 | d107a191b244c452dca08b25333767aace7bce31cc728a89c092b27fc93f3d8dd4747de996bfac2d0127fbf1c476d98dbb85d4f9c3c9136901c33747b06fe5a4 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index
| MD5 | 54cb446f628b2ea4a5bce5769910512e |
| SHA1 | c27ca848427fe87f5cf4d0e0e3cd57151b0d820d |
| SHA256 | fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d |
| SHA512 | 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History-journal
| MD5 | e4ed9f8dd542db021fa7e132222c41b0 |
| SHA1 | 1d1dfddfa3fd02b8bc0ab76177608c63b64520ff |
| SHA256 | bb7fb5ddaae1f1c0b9b83b4fd1583f701391c52d57765541a6d3281c9a8a1f3d |
| SHA512 | 9810c2ab6b3e5e639b506af90fdaf668d1f124ae27f52d8b675943a7937e75db7c2343ebe6e3d5326c2264052735ee7296be210298d384e1db0b0875f74789dd |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History
| MD5 | f310cf1ff562ae14449e0167a3e1fe46 |
| SHA1 | 85c58afa9049467031c6c2b17f5c12ca73bb2788 |
| SHA256 | e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855 |
| SHA512 | 1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences
| MD5 | 72fb8fdc79e886886d9cc89b88ef11db |
| SHA1 | b602840b49b5e657eb4f9cab689940c94179ebc4 |
| SHA256 | 623fb553bc909b8b591b994a232f3361b993a75d89d3374fa433af91ce63dfea |
| SHA512 | 0ac23f265781a01f7ab0434e4dbb9e1af441cd0227d317af3f9ab436a44585321b209e167bbabc7461e28407dde3ba3519d67c44d6f1762ad0fa4f151dd82f92 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences
| MD5 | 03f5b0d0cde36047423d3f5744da6aec |
| SHA1 | 76afd3c804078639efd8db85925aaff22cd7eabd |
| SHA256 | 9047f92d0844c71ca1e579e82ac66980b998ea13606175c4094b37dd4c515745 |
| SHA512 | b4958125b5bda3be2b898ea7cf4580c82585f41ebdfb8859575dfc0bdd851cd206d12c268bfe2b0cd29b3a32415c012a03040a17800c14ce525188be61def59f |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Favicons
| MD5 | b40e1be3d7543b6678720c3aeaf3dec3 |
| SHA1 | 7758593d371b07423ba7cb84f99ebe3416624f56 |
| SHA256 | 2db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4 |
| SHA512 | fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Login Data
| MD5 | a182561a527f929489bf4b8f74f65cd7 |
| SHA1 | 8cd6866594759711ea1836e86a5b7ca64ee8911f |
| SHA256 | 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914 |
| SHA512 | 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\LOG
| MD5 | 4a5608e7b65ffee46b671f9a84225f66 |
| SHA1 | a4968dbbe1d3a202ff9ae0581a71464b492e3709 |
| SHA256 | 55ac8d61f1493aab07679b89af4ae10e6c2c2897fa509851d5bbacb637ccaedc |
| SHA512 | 6bbc24d883023c31eaf8b8a84e2d52bb2ebc17745c994931f621597c955a62cd65f09c021d49630bc239d235c8086a315d8a8fdbf4157fbff8f66598e04fac0f |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Top Sites
| MD5 | 986962efd2be05909f2aaded39b753a6 |
| SHA1 | 657924eda5b9473c70cc359d06b6ca731f6a1170 |
| SHA256 | d5dddbb1fbb6bbf2f59b9d8e4347a31b6915f3529713cd39c0e0096cea4c4889 |
| SHA512 | e2f086f59c154ea8a30ca4fa9768a9c2eb29c0dc2fe9a6ed688839853d90a190475a072b6f7435fc4a1b7bc361895086d3071967384a7c366ce77c6771b70308 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat
| MD5 | c4e36c873b80bc3c269c5d3bbe06e6f1 |
| SHA1 | b93bd0e2751e49a8b5dd3e598714aaa72df085a4 |
| SHA256 | effb10ca39a63c0aaeca11013efb844e29b3286036daeefd6aeeebe754e93fe9 |
| SHA512 | b445947a43bc123d2ace64f7690feec15f8fc6ae490a4ba17f47b538d22d6b6540af1ed9a35eb78a847fc7241b58796eba541c3907cea0a708a068b7cae5b084 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\index
| MD5 | c82c2d23df974d16ef4dc6823f0eeb4c |
| SHA1 | 1f57bcf4db271d6d33bd4da9ad5c7fd3349a6921 |
| SHA256 | d3841eac4d3e7bb72d3ac6bf26f9c7631367c658f8d51255d9ee57ee8df0fefd |
| SHA512 | 24c6d28ad9c78e33bb9adc70a6ddea2c5726fc5ebcc285ceb62f8bc252e8448e66edaa315c4e9a50350462c1fdd3a77643688bcc68543b521644fb445d769a19 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\LOG
| MD5 | 53561602e3e7c45ae19bb25e279bd465 |
| SHA1 | d5572776764fcdc74a5735334f0a30aeda8f4634 |
| SHA256 | 2fdf347f2426791f74cf59a2ae6c55255ee92495bda7e37d92c0a57e0639227b |
| SHA512 | bd4385da1362eb421b045ece9d7530247f4e1595487ccbc1e513452d3f88d61e892f5cbf69eba2c4c137b1ca3367a7458ad8fee9c5d7ef8eb4ea24b0263a9156 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\000003.log
| MD5 | 69449520fd9c139c534e2970342c6bd8 |
| SHA1 | 230fe369a09def748f8cc23ad70fd19ed8d1b885 |
| SHA256 | 3f2e9648dfdb2ddb8e9d607e8802fef05afa447e17733dd3fd6d933e7ca49277 |
| SHA512 | ea34c39aea13b281a6067de20ad0cda84135e70c97db3cdd59e25e6536b19f7781e5fc0ca4a11c3618d43fc3bd3fbc120dd5c1c47821a248b8ad351f9f4e6367 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\000003.log
| MD5 | 9082ba76dad3cf4f527b8bb631ef4bb2 |
| SHA1 | 4ab9c4a48c186b029d5f8ad4c3f53985499c21b0 |
| SHA256 | bff851dedf8fc3ce1f59e7bcd3a39f9e23944bc7e85592a94131e20fd9902ddd |
| SHA512 | 621e39d497dece3f3ddf280e23d4d42e4be8518e723ecb82b48f8d315fc8a0b780abe6c7051c512d7959a1f1def3b10b5ed229d1a296443a584de6329275eb40 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index-dir\the-real-index
| MD5 | 018191f390ab396998d4f3ce32ac9d6c |
| SHA1 | 5c50f2e8e2bf8bf0978dfd95a70d08288e645aa2 |
| SHA256 | 17a148bfe1a0ac971b0418cac309c2861af214a8b836a85bed85e77c88f58819 |
| SHA512 | eda92cc1f28e18780d9314a392b0c62c26869dfcf894f59c1fc20a81b9de93b167059b849ee05c683e229008870179dcef7e38a32c63ae8312cf3f9737fc0dda |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 90c3dbf30e7717f74ca12fe201e73b0f |
| SHA1 | 267e98b299ffecd9b5a91a7142c57b7ee37895ba |
| SHA256 | 1ef3f73e21466f8917a844191e7464e6a1eb61dfb3144fe5d8e8a40b61f6c4c6 |
| SHA512 | 7383ea3f9da243645d120aa0dc4c23347dba389af8fd14b36ef06183b994d7764ad3336aa38e077ace8560dbb50746cc3e1872c0f45d7edf8bee11e504280343 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\LOG
| MD5 | f49e60b905a6f2b6e181580e3105d930 |
| SHA1 | 9d203cb9d656fd7e544da1a8a705e564fc6398ae |
| SHA256 | a2837a95e3f5ce5a27f2e7089958a8a00dc93ceb40a4eefce75b73a1d5c2b2ac |
| SHA512 | 618436a616d9806fca99bfc0ee3432f86a6ef7bd3f662b1fef6194682b3dfed1184756f82592a82dca76956b40a6da08ca6ed80bb4e0ce9b656189feffbcc03e |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences
| MD5 | 82a6275d21340097ff840246e52f3efd |
| SHA1 | 9a7d9ab6fc447c3be9ac3098867e4b93e404ce9a |
| SHA256 | a37370c9884af48ae746ef53839f337f05173c63b6f30c9cb4f40d64f6475c0a |
| SHA512 | e3fb24639dc97a36a68fdb5f48aeb8d7bdc207a8766fe808707e8dc5dd2f5909d40f3fd74ec2bea299d835a9a477847f3516efc9f39e2a81c93b349bca8f63a5 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Microsoft Edge.lnk
| MD5 | 2bd86bed65ac1dcfe5c2f2259ec72b2f |
| SHA1 | c6af66b486ec4ee8e454658b44fcc0a3aad3ce2b |
| SHA256 | 41b55fe9083760b135d88f26e8b490f9acf9a9a646516fec0779ccc8ca3676e7 |
| SHA512 | 9eaa2535ca8a439085514ee3da91f07fc268b55dac89d9f50dbd06838f4c3fd501cb0ad6d35a0ed8a3337558cbc27ade35514bbd8ea1cd2a4926b6479a949688 |