Malware Analysis Report

2025-01-03 06:17

Sample ID 241129-drm49a1rfx
Target asd.rar
SHA256 27bab8020d0e62c51725515958b394e32822498c9f1dd68e98d4ff24a895827b
Tags
asyncrat stormkitty default collection discovery evasion persistence privilege_escalation rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

27bab8020d0e62c51725515958b394e32822498c9f1dd68e98d4ff24a895827b

Threat Level: Known bad

The file asd.rar was found to be: Known bad.

Malicious Activity Summary

asyncrat stormkitty default collection discovery evasion persistence privilege_escalation rat spyware stealer

AsyncRat

StormKitty

Stormkitty family

Asyncrat family

StormKitty payload

Async RAT payload

Grants admin privileges

Boot or Logon Autostart Execution: Active Setup

Modifies Windows Firewall

Reads user/profile data of web browsers

Executes dropped EXE

Accesses Microsoft Outlook profiles

Looks up geolocation information via web service

Network Service Discovery

Enumerates connected drives

Looks up external IP address via web service

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Enumerates processes with tasklist

Launches sc.exe

Browser Information Discovery

Permission Groups Discovery: Local Groups

System Network Configuration Discovery: Wi-Fi Discovery

Enumerates physical storage devices

System Network Connections Discovery

Event Triggered Execution: Netsh Helper DLL

System Location Discovery: System Language Discovery

outlook_win_path

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Uses Volume Shadow Copy WMI provider

Suspicious behavior: LoadsDriver

NTFS ADS

Checks SCSI registry key(s)

Collects information from the system

Opens file in notepad (likely ransom note)

outlook_office_path

Uses Task Scheduler COM API

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Checks processor information in registry

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Gathers network information

Suspicious use of WriteProcessMemory

Runs net.exe

Gathers system information

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-11-29 03:14

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-29 03:14

Reported

2024-11-29 03:19

Platform

win11-20241007-en

Max time kernel

269s

Max time network

267s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\asd.rar"

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Grants admin privileges

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Network Service Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\ARP.EXE N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1708 set thread context of 1704 N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Permission Groups Discovery: Local Groups

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

System Network Connections Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities C:\Windows\explorer.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe N/A

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\system32\BackgroundTransferHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\system32\BackgroundTransferHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\system32\BackgroundTransferHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\MuiCache C:\Windows\system32\BackgroundTransferHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133727764362482282" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2499603254-3415597248-1508446358-1000\{A195C771-F082-4D22-85F6-89619812F167} C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001000200000014000000494c200602000400440010001000ffffffff2110ffffffffffffffff424d360000000000000036000000280000001000000040000000010020000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400000000100010000000000000100000000000000000000000000000000000000000000ffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff0000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff000000000000000000000000000000000000000000000000010000000800000002000000040000002400000001000000000000000100000000000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 140000000700000001000100050000001400000050003a005c00480066007200650066005c004e0071007a00760061005c004e006300630051006e0067006e005c005900620070006e0079005c005a00760070006500620066006200730067005c00420061007200510065007600690072005c00420061007200510065007600690072002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f50100000000000000000000e8070a00420061007200510065007600690072000a0041006200670020006600760074006100720071002000760061000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000000000000000000000000000000000007073becab118db0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff82ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff83ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\dnSpy-master.zip:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\notepad.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO4DEAFD97\asd.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE7E6F7\asd.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zO4DEC9E38\asd.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3796 wrote to memory of 1708 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe
PID 3796 wrote to memory of 1708 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe
PID 3796 wrote to memory of 3636 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO4DEAFD97\asd.exe
PID 3796 wrote to memory of 3636 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO4DEAFD97\asd.exe
PID 3796 wrote to memory of 4564 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO4DE7E6F7\asd.exe
PID 3796 wrote to memory of 4564 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO4DE7E6F7\asd.exe
PID 1708 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe C:\Windows\SYSTEM32\cmd.exe
PID 1708 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe C:\Windows\SYSTEM32\cmd.exe
PID 4036 wrote to memory of 4760 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 4036 wrote to memory of 4760 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 3796 wrote to memory of 392 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO4DEC9E38\asd.exe
PID 3796 wrote to memory of 392 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO4DEC9E38\asd.exe
PID 1708 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe C:\Windows\SYSTEM32\cmd.exe
PID 1708 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe C:\Windows\SYSTEM32\cmd.exe
PID 2424 wrote to memory of 2936 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 2424 wrote to memory of 2936 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 2424 wrote to memory of 2384 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 2424 wrote to memory of 2384 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 2424 wrote to memory of 4740 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 2424 wrote to memory of 4740 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 1708 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe C:\Windows\SYSTEM32\cmd.exe
PID 1708 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe C:\Windows\SYSTEM32\cmd.exe
PID 4296 wrote to memory of 5112 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 4296 wrote to memory of 5112 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 4296 wrote to memory of 536 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 4296 wrote to memory of 536 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 4036 wrote to memory of 4288 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\HOSTNAME.EXE
PID 4036 wrote to memory of 4288 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\HOSTNAME.EXE
PID 4036 wrote to memory of 3856 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4036 wrote to memory of 3856 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4036 wrote to memory of 4312 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 4036 wrote to memory of 4312 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 4312 wrote to memory of 1016 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4312 wrote to memory of 1016 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4036 wrote to memory of 1432 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\query.exe
PID 4036 wrote to memory of 1432 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\query.exe
PID 1432 wrote to memory of 2488 N/A C:\Windows\system32\query.exe C:\Windows\system32\quser.exe
PID 1432 wrote to memory of 2488 N/A C:\Windows\system32\query.exe C:\Windows\system32\quser.exe
PID 4036 wrote to memory of 3012 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 4036 wrote to memory of 3012 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 3012 wrote to memory of 3544 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3012 wrote to memory of 3544 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4036 wrote to memory of 4588 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 4036 wrote to memory of 4588 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 4588 wrote to memory of 1164 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4588 wrote to memory of 1164 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4036 wrote to memory of 2680 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 4036 wrote to memory of 2680 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 2680 wrote to memory of 2784 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2680 wrote to memory of 2784 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4036 wrote to memory of 4024 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 4036 wrote to memory of 4024 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\net.exe
PID 4024 wrote to memory of 1828 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4024 wrote to memory of 1828 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4036 wrote to memory of 236 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4036 wrote to memory of 236 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4036 wrote to memory of 2284 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4036 wrote to memory of 2284 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4036 wrote to memory of 1060 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 4036 wrote to memory of 1060 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 4036 wrote to memory of 4496 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\ROUTE.EXE
PID 4036 wrote to memory of 4496 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\ROUTE.EXE
PID 1708 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe C:\Windows\explorer.exe
PID 1708 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe C:\Windows\explorer.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\asd.rar"

C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe

"C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe"

C:\Users\Admin\AppData\Local\Temp\7zO4DEAFD97\asd.exe

"C:\Users\Admin\AppData\Local\Temp\7zO4DEAFD97\asd.exe"

C:\Windows\notepad.exe

"C:\Windows\notepad.exe" "C:\Users\Admin\AppData\Local\Temp\7zO4DEC3BF7\asd.exe"

C:\Users\Admin\AppData\Local\Temp\7zO4DE7E6F7\asd.exe

"C:\Users\Admin\AppData\Local\Temp\7zO4DE7E6F7\asd.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe"

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Users\Admin\AppData\Local\Temp\7zO4DEC9E38\asd.exe

"C:\Users\Admin\AppData\Local\Temp\7zO4DEC9E38\asd.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\findstr.exe

findstr All

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\system32\HOSTNAME.EXE

hostname

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get caption,description,providername

C:\Windows\system32\net.exe

net user

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user

C:\Windows\system32\query.exe

query user

C:\Windows\system32\quser.exe

"C:\Windows\system32\quser.exe"

C:\Windows\system32\net.exe

net localgroup

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup

C:\Windows\system32\net.exe

net localgroup administrators

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup administrators

C:\Windows\system32\net.exe

net user guest

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user guest

C:\Windows\system32\net.exe

net user administrator

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user administrator

C:\Windows\System32\Wbem\WMIC.exe

wmic startup get caption,command

C:\Windows\system32\tasklist.exe

tasklist /svc

C:\Windows\system32\ipconfig.exe

ipconfig /all

C:\Windows\system32\ROUTE.EXE

route print

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Default 147.185.221.24 4448 HVNC_MUTEX

C:\Windows\system32\ARP.EXE

arp -a

C:\Windows\system32\NETSTAT.EXE

netstat -ano

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\system32\sc.exe

sc query type= service state= all

C:\Windows\system32\netsh.exe

netsh firewall show state

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13

C:\Windows\system32\netsh.exe

netsh firewall show config

C:\Users\Admin\AppData\Local\Temp\7zO4DE3CD78\asd.exe

"C:\Users\Admin\AppData\Local\Temp\7zO4DE3CD78\asd.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8ba793cb8,0x7ff8ba793cc8,0x7ff8ba793cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8ba793cb8,0x7ff8ba793cc8,0x7ff8ba793cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,13687789950103381970,1455975033404279976,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,13687789950103381970,1455975033404279976,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,13687789950103381970,1455975033404279976,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,7312414471161652829,17404999287976470,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,7312414471161652829,17404999287976470,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13687789950103381970,1455975033404279976,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13687789950103381970,1455975033404279976,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13687789950103381970,1455975033404279976,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4564 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13687789950103381970,1455975033404279976,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13687789950103381970,1455975033404279976,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13687789950103381970,1455975033404279976,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3748 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13687789950103381970,1455975033404279976,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,13687789950103381970,1455975033404279976,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3388 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13687789950103381970,1455975033404279976,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,13687789950103381970,1455975033404279976,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6020 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13687789950103381970,1455975033404279976,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13687789950103381970,1455975033404279976,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13687789950103381970,1455975033404279976,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2384 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13687789950103381970,1455975033404279976,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13687789950103381970,1455975033404279976,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1232 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13687789950103381970,1455975033404279976,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13687789950103381970,1455975033404279976,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,13687789950103381970,1455975033404279976,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6508 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13687789950103381970,1455975033404279976,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6564 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13687789950103381970,1455975033404279976,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13687789950103381970,1455975033404279976,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6876 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13687789950103381970,1455975033404279976,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2564 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\7zO4DE1DC0A\asd.exe

"C:\Users\Admin\AppData\Local\Temp\7zO4DE1DC0A\asd.exe"

C:\Users\Admin\AppData\Local\Temp\7zO4DE7020A\asd.exe

"C:\Users\Admin\AppData\Local\Temp\7zO4DE7020A\asd.exe"

C:\Users\Admin\AppData\Local\Temp\7zO4DEA100A\asd.exe

"C:\Users\Admin\AppData\Local\Temp\7zO4DEA100A\asd.exe"

C:\Users\Admin\AppData\Local\Temp\7zO4DEF460A\asd.exe

"C:\Users\Admin\AppData\Local\Temp\7zO4DEF460A\asd.exe"

C:\Users\Admin\AppData\Local\Temp\7zO4DE5B70A\asd.exe

"C:\Users\Admin\AppData\Local\Temp\7zO4DE5B70A\asd.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13687789950103381970,1455975033404279976,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13687789950103381970,1455975033404279976,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6748 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,13687789950103381970,1455975033404279976,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6980 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13687789950103381970,1455975033404279976,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6928 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13687789950103381970,1455975033404279976,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6956 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13687789950103381970,1455975033404279976,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6948 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13687789950103381970,1455975033404279976,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6932 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13687789950103381970,1455975033404279976,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7528 /prefetch:1

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\findstr.exe

findstr All

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.pornhub.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ff8ba793cb8,0x7ff8ba793cc8,0x7ff8ba793cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13687789950103381970,1455975033404279976,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13687789950103381970,1455975033404279976,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13687789950103381970,1455975033404279976,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7112 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13687789950103381970,1455975033404279976,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7240 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13687789950103381970,1455975033404279976,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1504 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13687789950103381970,1455975033404279976,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1

Network

Country Destination Domain Proto
US 147.185.221.24:11061 tcp
US 8.8.8.8:53 24.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 147.185.221.24:11061 tcp
US 147.185.221.24:11061 tcp
US 147.185.221.24:11061 tcp
US 147.185.221.24:11061 tcp
US 104.16.185.241:80 icanhazip.com tcp
US 208.95.112.1:80 ip-api.com tcp
GB 104.86.110.128:443 tcp
US 104.208.16.92:443 browser.pipe.aria.microsoft.com tcp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp
US 147.185.221.24:4448 tcp
GB 95.101.143.201:443 r.bing.com tcp
GB 95.101.143.201:443 r.bing.com tcp
GB 95.101.143.201:443 r.bing.com tcp
GB 95.101.143.201:443 r.bing.com tcp
GB 95.101.143.201:443 r.bing.com tcp
GB 95.101.143.201:443 r.bing.com tcp
GB 95.101.143.201:443 r.bing.com tcp
US 172.67.196.114:443 api.mylnikov.org tcp
US 162.159.135.232:443 discord.com tcp
US 147.185.221.24:11061 tcp
GB 95.101.143.219:443 r.bing.com tcp
N/A 224.0.0.251:5353 udp
GB 95.101.143.201:443 r.bing.com tcp
GB 95.101.143.201:443 r.bing.com tcp
GB 88.221.135.33:443 r.bing.com tcp
GB 88.221.135.33:443 r.bing.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 23.73.137.233:443 aefd.nelreports.net tcp
GB 23.73.137.233:443 aefd.nelreports.net tcp
US 185.199.111.133:443 avatars.githubusercontent.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
GB 20.26.156.210:443 api.github.com tcp
US 140.82.113.21:443 collector.github.com tcp
US 147.185.221.24:11061 tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 204.79.197.200:443 bing.com tcp
GB 20.26.156.216:443 codeload.github.com tcp
GB 95.101.143.219:443 r.bing.com tcp
US 147.185.221.24:11061 tcp
GB 23.73.137.233:443 aefd.nelreports.net udp
US 151.101.129.91:443 images.sftcdn.net tcp
US 151.101.129.91:443 images.sftcdn.net tcp
US 151.101.129.91:443 images.sftcdn.net tcp
US 151.101.193.91:443 images.sftcdn.net tcp
US 151.101.129.91:443 images.sftcdn.net tcp
NL 18.239.70.135:443 c.amazon-adsystem.com tcp
IE 3.162.140.120:443 sdk.privacy-center.org tcp
US 151.101.129.91:443 images.sftcdn.net tcp
GB 142.250.200.34:443 securepubads.g.doubleclick.net tcp
IE 3.162.140.117:80 crt.rootg2.amazontrust.com tcp
US 151.101.193.91:443 images.sftcdn.net udp
GB 142.250.200.34:443 securepubads.g.doubleclick.net tcp
US 151.101.193.91:443 images.sftcdn.net udp
US 150.171.27.10:443 bat.bing.com tcp
US 13.107.246.64:443 www.clarity.ms tcp
US 8.8.8.8:53 120.140.162.3.in-addr.arpa udp
US 8.8.8.8:53 8.39.65.18.in-addr.arpa udp
US 8.8.8.8:53 34.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 117.140.162.3.in-addr.arpa udp
US 8.8.8.8:53 64.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 151.101.129.91:443 dnspy.en.softonic.com udp
GB 142.250.200.34:443 securepubads.g.doubleclick.net udp
US 151.101.129.91:443 dnspy.en.softonic.com udp
NL 18.239.70.135:443 c.amazon-adsystem.com tcp
US 147.185.221.24:11061 tcp
US 104.22.75.216:443 btloader.com tcp
GB 172.217.16.228:443 www.google.com tcp
GB 142.250.179.251:443 storage.googleapis.com tcp
US 4.227.249.197:443 u.clarity.ms tcp
IE 13.224.68.110:443 config.aps.amazon-adsystem.com tcp
IE 13.224.68.110:443 config.aps.amazon-adsystem.com tcp
US 151.101.193.91:443 dnspy.en.softonic.com tcp
US 172.67.134.120:443 bt.dns-finder.com tcp
IE 99.86.121.32:443 aax.amazon-adsystem.com tcp
US 104.22.52.86:443 cdn.id5-sync.com tcp
US 104.26.3.70:443 ad-delivery.net tcp
US 104.26.3.70:443 ad-delivery.net tcp
IE 34.253.17.104:443 id.crwdcntrl.net tcp
US 130.211.23.194:443 api.btloader.com tcp
US 130.211.23.194:443 api.btloader.com tcp
US 104.26.6.141:443 cdn.btmessage.com tcp
US 104.26.6.141:443 cdn.btmessage.com tcp
IE 13.74.129.1:443 c.clarity.ms tcp
NL 139.45.197.227:443 notix.io tcp
US 204.79.197.237:443 c.bing.com tcp
US 8.8.8.8:53 hbopenbid.pubmatic.com udp
US 8.8.8.8:53 ad.360yield-basic.com udp
US 8.8.8.8:53 htlb.casalemedia.com udp
US 8.8.8.8:53 hb-api.omnitagjs.com udp
US 34.120.63.153:443 prebid.media.net tcp
IE 54.217.38.153:443 ap.lijit.com tcp
US 104.18.27.193:443 ssum-sec.casalemedia.com tcp
DE 148.251.40.6:443 shb.richaudience.com tcp
DE 148.251.40.6:443 shb.richaudience.com tcp
DE 148.251.40.6:443 shb.richaudience.com tcp
GB 185.64.190.77:443 hbopenbid.pubmatic.com tcp
FR 185.255.84.150:443 hb-api.omnitagjs.com tcp
IE 3.248.1.106:443 ad.360yield-basic.com tcp
US 104.18.25.18:443 js-sec.indexww.com tcp
GB 2.18.108.192:443 ads.pubmatic.com tcp
DE 138.201.8.249:443 sync.richaudience.com tcp
FR 185.255.84.153:443 visitor.omnitagjs.com tcp
US 147.185.221.24:11061 tcp
US 147.185.221.24:11061 tcp
US 104.16.185.241:80 icanhazip.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 172.67.196.114:443 api.mylnikov.org tcp
US 162.159.135.232:443 discord.com tcp
US 147.185.221.24:11061 tcp
US 66.254.114.41:80 www.pornhub.com tcp
US 66.254.114.41:80 www.pornhub.com tcp
US 66.254.114.41:443 www.pornhub.com tcp
GB 64.210.156.20:443 ss.phncdn.com tcp
GB 64.210.156.20:443 ss.phncdn.com tcp
GB 64.210.156.20:443 ss.phncdn.com tcp
GB 64.210.156.20:443 ss.phncdn.com tcp
GB 64.210.156.20:443 ss.phncdn.com tcp
GB 64.210.156.20:443 ss.phncdn.com tcp
GB 64.210.156.20:443 ss.phncdn.com tcp
GB 64.210.156.20:443 ss.phncdn.com tcp
US 66.254.114.156:443 cdn1-smallimg.phncdn.com tcp
GB 64.210.156.22:443 ss.phncdn.com tcp
GB 64.210.156.20:443 ss.phncdn.com tcp
US 216.239.34.36:443 region1.google-analytics.com tcp
US 50.19.94.201:443 ads.traffichunt.com tcp
GB 89.187.167.20:443 pix-cdn77.trafficjunky.net tcp
GB 104.91.71.138:443 th-cdnv1.akamaized.net tcp
GB 142.250.179.251:443 storage.googleapis.com udp
US 216.239.34.36:443 region1.google-analytics.com udp
US 147.185.221.24:11061 tcp
US 4.227.249.197:443 u.clarity.ms tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zO4DE5D1B7\asd.exe

MD5 7bfd1845ffd7585cea13a9aaa6668fbd
SHA1 e045e3cb0da37e1f22991d4f0127e063a6c5aefa
SHA256 348f0695671ef99885979ad51820ec18bd3e8ed09fb3ff5ceb591dc102e8293b
SHA512 9eaf8ad24524d18f2c6bc13bf41d85a4c0eb8705d9840d88501570f23cacccb870364d945293d2f1eff7f49aabee625f3f04286abac4e91995d516f841177f43

memory/1708-12-0x00007FF8C0A13000-0x00007FF8C0A15000-memory.dmp

memory/1708-13-0x0000000000110000-0x0000000000128000-memory.dmp

memory/1708-15-0x00007FF8C0A10000-0x00007FF8C14D2000-memory.dmp

memory/1708-16-0x00007FF8C0A10000-0x00007FF8C14D2000-memory.dmp

C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

MD5 cf759e4c5f14fe3eec41b87ed756cea8
SHA1 c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256 c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512 c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

memory/1708-33-0x00007FF8C0A13000-0x00007FF8C0A15000-memory.dmp

memory/1708-36-0x00007FF8C0A10000-0x00007FF8C14D2000-memory.dmp

memory/1708-38-0x00007FF8C0A10000-0x00007FF8C14D2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\asd.exe.log

MD5 b4e91d2e5f40d5e2586a86cf3bb4df24
SHA1 31920b3a41aa4400d4a0230a7622848789b38672
SHA256 5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210
SHA512 968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

memory/1708-52-0x000000001C1C0000-0x000000001C236000-memory.dmp

memory/1708-53-0x000000001C640000-0x000000001C762000-memory.dmp

memory/1708-54-0x000000001ADA0000-0x000000001ADBE000-memory.dmp

memory/1708-93-0x0000000002320000-0x000000000232C000-memory.dmp

memory/1708-94-0x000000001C070000-0x000000001C092000-memory.dmp

memory/1708-95-0x000000001CA60000-0x000000001CB94000-memory.dmp

memory/1708-96-0x0000000002330000-0x000000000233A000-memory.dmp

memory/1708-97-0x000000001ADC0000-0x000000001ADCC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp566.tmp.dat

MD5 9c2aff15e8621453f4e0816211285ea4
SHA1 528523d2aaa3d8e34a7403135f392b6f46b27e8d
SHA256 8ca103b28c1ecfd5080f6412883cc69b6e86edf3b5dd7ef75924746bb75424da
SHA512 770117d15d333a499bce01f6b7d9097ce1c779edac0a341701fa00bf266bee17f80e336e1538a74d9dd28c13628d3d39bdd08deb42cf08662b881b7a0526142d

C:\Users\Admin\AppData\Local\Temp\tmp579.tmp.dat

MD5 f310cf1ff562ae14449e0167a3e1fe46
SHA1 85c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256 e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA512 1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

C:\Users\Admin\AppData\Local\c1802342081e87599e32efec843d3e00\Admin@TYEBXLJN_en-US\System\Process.txt

MD5 194ae4e7b36af128f1cf193fd60c91f7
SHA1 edc3e6139cbe7d709a6d4d35ff8f9a76bb3e5ed2
SHA256 dd53866727138c48a1b5e7fc2127e65a947347f0e0d2b2aee3e015303cdecdcf
SHA512 a32c85f02ab590e2e627d0da765fccf048a2ffd52158d5317e5635d47c6d9f6e7f6d67943f40721faef34cb07d8325524ea5bc095aabb594a7c5be552effd726

C:\Users\Admin\AppData\Local\c1802342081e87599e32efec843d3e00\Admin@TYEBXLJN_en-US\System\Process.txt

MD5 d03c4da6a6449fd0d1b34928265c8cac
SHA1 22e1564e3851f0805861e99fa35ef1e90b3d45a2
SHA256 710bf7a59c03fce3c34d52f2d31ed2c751970f3709634e16f1b2d239068504f1
SHA512 124977f11f2791abbfc1038316141cc2797633ca450b6c82526c804264307f6e7cb7b47b4220c8187d7f08005dff511cbab04cf87694ba8eabc6837698a5a6b6

C:\Users\Admin\AppData\Local\c1802342081e87599e32efec843d3e00\Admin@TYEBXLJN_en-US\System\Process.txt

MD5 763418c1ddb0f158beaa731bf924c1b7
SHA1 bcc8e0b4d03f2e4b6811fe59aeef2ff197958850
SHA256 15cab4238fbd64fa8c6db4c273dd74f410f6d0a31b77f7294c69d9caa2cd2edb
SHA512 0c0e03a78dfbaa4817eaad23b8886a1e273f796c06a54bfb0ffbdbf416410b2b193d883345bc297bf6710eacc3c1902d6f8ca03d9154a1082613838b1d9d2117

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1708-219-0x000000001C050000-0x000000001C070000-memory.dmp

memory/1704-220-0x0000000000400000-0x0000000000410000-memory.dmp

memory/1704-221-0x00000000058A0000-0x0000000005932000-memory.dmp

memory/1704-222-0x0000000005940000-0x00000000059DC000-memory.dmp

memory/1708-224-0x000000001CB90000-0x000000001CC0A000-memory.dmp

memory/1704-253-0x0000000006360000-0x0000000006906000-memory.dmp

memory/1708-268-0x000000001CC10000-0x000000001CC94000-memory.dmp

memory/1708-269-0x000000001CF90000-0x000000001D143000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\8d625fb0-ce81-4051-89d5-a0726397d0d5.down_data

MD5 5683c0028832cae4ef93ca39c8ac5029
SHA1 248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256 855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512 aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

C:\Users\Admin\AppData\Local\c1802342081e87599e32efec843d3e00\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 cb557349d7af9d6754aed39b4ace5bee
SHA1 04de2ac30defbb36508a41872ddb475effe2d793
SHA256 cfc24ed7d1c2e2c6585f53db7b39aa2447bf9212487b0a3c8c2a7d8e7e5572ee
SHA512 f0cf51f42d975d720d613d09f201435bf98c6283ae5bc033207f4ada93b15e49743a235a1cfb1b761bde268e2f7f8561aa57619b99bff67a36820bc1a4d0ec4a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 aad1d98ca9748cc4c31aa3b5abfe0fed
SHA1 32e8d4d9447b13bc00ec3eb15a88c55c29489495
SHA256 2a07cac05ffcf140a9ad32e58ef51b32ecccf1e3ab5ef4e656770df813a8944e
SHA512 150ebf7e37d20f88b21ab7ea0793afe1d40b00611ed36f0cf1ac1371b656d26f11b08a84dbb958891c79776fae04c9c616e45e2e211d292988a5709857a3bf72

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 2199ac88728855852f0833565bc7a6a3
SHA1 c6408e9608b05246ab125137b6fd6316a1b2a219
SHA256 9886280b8802b6629fb8affba52cd9d4c4973575e3067797fb4a156e318c2295
SHA512 ab89db948f9ff5b71c36ae328d1a9ec08f6daf8f11fe7b7df532fe928cbb9c8435457a8699f057b3ce00dada72c95692dba6ab48b3364539a595b97156a36aac

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 759b7b9a43fdfee35bd6f2c6e5ee49a2
SHA1 3cbba8d78fc7125ff06914d90d1e5cab2f69ab63
SHA256 3d898a89adc6f8d7d45322de9fcb2bc75d4273681e30d711465c9ee4632b3215
SHA512 005bb045dca76d8f85f584a1fa1114ea7d979935fc07caa4b9b2472b3489e4bb7afef509791a62d1e34df3d7b0f6a980a785074847b882e9300a08221ae35b02

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 453c5cf41274ddb4a3149623f9c8544b
SHA1 56cc3a69d9edaea87c8076892d313b4fd2b30050
SHA256 7a0faa1363ba38850e772074251826703b8200e011ff8f2237f3625c4f76fcf7
SHA512 a249adc52b10b17e7c27a86d61700b027e5c4a7f2622f345dc9e9e3c8c59d2e83c6ffddfb41a31076019150e1996af742cd9d0ac2f3694e2421d269aa249d9c4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 610d2f2d4144e6d1465716919148b7bd
SHA1 f49fb4f24d9700bc983edda239b9b0b2f68068e9
SHA256 cb565ab08aec255ea28a90e4ad44bf8c5dce9d15b1763e89070e0a1cabe669a3
SHA512 b7eeaa18d1d1c4e5d60284bb2fa9847621283581b9985d4e52ddd0baafea95ab83fddcc69e04b8ed2e59a82e651e19f4eae119c90e22c4e5e60c77d47cbbd6ea

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 2bc7f4efdfb2b504fcae7bd8e89812b2
SHA1 9744323dfefcfb86a40783119a31d8917da195ec
SHA256 5b3371e0bd7f8981e91cf6fb0bb90c5f1c5978a2ce10da2bc90a8a10e76d6ae7
SHA512 1677a5d68e8d2d910c46b1f9f49e39828d47444b4259eede9773bc860769a401b86f76d7420ca30d8d25a59523baa68531e7efb2f45650a8affc4aa85292f2fe

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0fb223ef37af5485a40231d754bdda59
SHA1 3bf3bf2ea45e0e8352c44606cb240dcf66fa31a9
SHA256 1fb665463e0d0c8ed344bd62924fc62362a653dd7f059b158b12cc69c3d08eb1
SHA512 c9fd33d1ebf3e8fe8628d3a5ed1b9f3e426d1afc688b616c54a4ee938ea8d412a865b6df534a3a2f8ad34f71862f6685700296007a15155e70360154b7a6b421

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe591449.TMP

MD5 02c36521be24ccd92eeef58223f22853
SHA1 35a08bbb1bfc9d0bd7ccaa3e971bee21a8bda96b
SHA256 02c5d950a49bc180ea5871691ba9715a79d798a339e201b00342326e2782613b
SHA512 3c2406efb2bd47480e422db7712c5a7d2fce0382de6200380da0fc46ab0acbb804f55ef4fbec8f9b019abb42378cc7b50004f402fd0e4b7d2b640f1cb098bd16

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\07716107-fbdd-4777-9e83-6de429954a52.tmp

MD5 b0b60c473b8dd42754763d9781ca89b3
SHA1 0836b5ee971d0403e5b26099ae0cca87c83620b3
SHA256 ad04257f1e33379988791281567c15b2cc665413fcf1546c681deb665b7e3df5
SHA512 87a5f1e357c768888fa12c2da2fcdce23aa2015ba9bb33131f24b7e61954a1209ada5275128d8dbd7ae9675140367b23eefaee50ebfef3e8b9312565f5ace89f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3ab249b48093162fa30489516349586c
SHA1 ab66882afdff3b88940fe297509199502486c482
SHA256 c5f5c9b58e27c03b8b1d4886c30620327b0af7758329b19b3b302f92cd77d961
SHA512 260d6fdb126231a1d34d533eaeeb82219152b9f51ddaa6ece77e80ee44af39961ab4e0d446bd1a5ae814d8531b2a67ba17cdf3b84c88a7c7199c3a2ab168d9ca

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 c584dfaab20e97a8d24bb545e5d930fa
SHA1 e7ce5087ece8fad446e72dcfeb55d125d4048545
SHA256 a9be0792a0ec56945e197bd0564c52ec4108718cd0afd3f57e114147b2e3c6db
SHA512 c6ef206fa4bf64e1e241c9558a375a17ecf933ddfa848538402631cc216df6aa35b124488c907fd19caa4fcf3b1e49e41161de4e233585c095f77e7333ff649a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 bb7d62b0cb01188aee73651d27b20f7d
SHA1 d52d541a2a9e7a4b7242ff6f371103b90614f9d1
SHA256 2b8789e9755b3f663c2acfc159a2c138ad0bda7b4b0057ee99f24ce4ec780b46
SHA512 edba8dd02af99dd7a72e7301f87fea2510003777f10a85cd71999605cfde36e088beba92544ea7cb11aa1705eaac132dc366bee193a6e3c90f7c5a88e737c858

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\8d90a6b9-95c5-4eaa-8e48-12bec3832fe1.tmp

MD5 d55241caf07d72cb65b50afd7452a14e
SHA1 34d48fd5810da28d2837a24888f1ce41e6d0cbb9
SHA256 225e4c81e00176dddaa1428bdafec17cde942814cb43571fac80564e26ea3cb5
SHA512 ffbcfacdd1fe89e1507fb72f180f897f2bda9df08988cf98c129f2b7e5cf9a1d0d2093ff186762dae2002f2e6e53e8b079e3e283f702ba0f38a69dcef95d4d6d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d67e2d46aa3ac1bfb12ddc61b2728165
SHA1 45071b5ed6b8eed981b9c7de2350711a0d74ce1c
SHA256 53a21931eae1cee1145ca31680a1e69aec0da16823a6d7d8b352f7712917539f
SHA512 1a16d319d9a52d626e2d810ec5c47ca202a9650af83f457cbc74b41aadffbe38d4edd742322a0ecdf60839e04c3c5c7143b5b7a4c8fce2b82d62b64afb2bb009

C:\Users\Admin\Downloads\Unconfirmed 648825.crdownload

MD5 e5f4821da50868c15781dc665d0a563a
SHA1 9c6428e092b51a59a3404559003cb6c86351da7d
SHA256 972a6784c9e0a1592adbcfe7c500f1b87322b91e79030ac689451fe30cae5e06
SHA512 e315c6f399619b61d79fd4dd4e3d1a4a61e714f8883fb483fea4b2cbe10f2651c2a0946de75136fb287cfef93e7f33777711a8752adb90c874bb8d0f221ec6c0

C:\Users\Admin\Downloads\dnSpy-master.zip:Zone.Identifier

MD5 fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1 d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256 eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512 aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 172fe98ccf5dd2bf19918e9befaa0fc4
SHA1 31776ee9a4b1cb29cb3aa53928e12b2e6b3222a2
SHA256 c2b36191d9193af10b6dd4c054d4aae7f732eb3e337b659c3ef32ecbd4107a35
SHA512 5d5f564bbb69b16e3936f2d7a3d5b661363fe7c3091086a663454780382877ec6051c0fb480d392217991e8c204cede4ca6ed4a8ecc18e4fcfe90e9255d880c4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 9df244c950207b94b445244ecff53c35
SHA1 9f286fd540b37621846a458240f1ba81282f90a8
SHA256 46c17aea099ae688614471a0dcd4365e6453ded73a24432279358afbcf8c763c
SHA512 88520a10dadabf152b4d7e12373f4170a8133d7eca8be6786edf04e367ebe63fbb2458791938a51cb0c746cf233f88f9325f1fdb18a7ca3ffc8afcdf1a1c89fc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

MD5 c813a1b87f1651d642cdcad5fca7a7d8
SHA1 0e6628997674a7dfbeb321b59a6e829d0c2f4478
SHA256 df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3
SHA512 af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

MD5 b275fa8d2d2d768231289d114f48e35f
SHA1 bb96003ff86bd9dedbd2976b1916d87ac6402073
SHA256 1b36ed5c122ad5b79b8cc8455e434ce481e2c0faab6a82726910e60807f178a1
SHA512 d28918346e3fda06cd1e1c5c43d81805b66188a83e8ffcab7c8b19fe695c9ca5e05c7b9808599966df3c4cd81e73728189a131789c94df93c5b2500ce8ec8811

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

MD5 226541550a51911c375216f718493f65
SHA1 f6e608468401f9384cabdef45ca19e2afacc84bd
SHA256 caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5
SHA512 2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

MD5 2e86a72f4e82614cd4842950d2e0a716
SHA1 d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256 c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA512 7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 6ddfc07701c875904b2e7bcf8a542a59
SHA1 9f2f5e69834ae4beb9ebaae3c8153033829112c4
SHA256 0ff00379ed503d50095c996bd1414f9b400009acd48e1373616c4e508d3e709c
SHA512 263d4a3b5894cd70a502942ce49790d88382f38b248e587fbceddfb5c8ba63dbf7e24f50fe322a06cec65f2f409fc6469b0c0fcba17828739b59255d6e5be042

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 ac50916aee4fa4bc68d988a5da883d09
SHA1 16aa207a12238dd7dd8e6f1f02b7b20d0cac137e
SHA256 42ecb211cee0a0de0baab95fa1c800acd6b2ee128bc3695af41f2b0102fdd12a
SHA512 16cb0cddb0a97193e7f1ed24b98c62e1c24c16e5b03149b28c5282e7f74fa2b25f99ad4dc8d03c5cb3a22f37709c71e765a092569d15a600998d76e383229e68

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7c65a38526ac10190feec1fd63a5f8b9
SHA1 8571b2958a0eb749863fbe73a3f18b363680f4c6
SHA256 a2e386d07314ea4c38d5c0865f8bb76a7136b40a4e25fef1c723025f151ed126
SHA512 7a80048ea2ac2875fd92d076ee9563eb18225b4ae0e63e781eb050330f24dd41b6db3123f33ad3f30a2e93d0bbc4f0812222425b271de11e52792e8a73e5511f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

MD5 0d89f546ebdd5c3eaa275ff1f898174a
SHA1 339ab928a1a5699b3b0c74087baa3ea08ecd59f5
SHA256 939eb90252495d3af66d9ec34c799a5f1b0fc10422a150cf57fc0cd302865a3e
SHA512 26edc1659325b1c5cf6e3f3cd9a38cd696f67c4a7c2d91a5839e8dcbb64c4f8e9ce3222e0f69d860d088c4be01b69da676bdc4517de141f8b551774909c30690

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 3e2c17f95a71b7642f6e25748558a6f8
SHA1 3042bd3baef18794fc29014cf8443b3e9ad2decb
SHA256 1d0dde8e9293578f2f459eb48f97342341cf52d94e952afb4d13a23061a63a79
SHA512 e423b1bc7ef4f81c29972462d27c2ef4666b08b90143602ce451b155b6d7c491f04a2fdd90a2c6d6676f9ef865263ab38e5c91e05b1e457009be7c09293a6071

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 de1db8c4356a127c9b05ae175cdd3c73
SHA1 d1ece8d8cbf7f4073ef0ecf61364fb73fdc1b2d9
SHA256 61aa72dd7370a6540ce16430fdbfdd4cdd6bb047e7fb09b5775048068bc4747e
SHA512 1e3532d206858e7569da143125aaa99a63fc308d3abf0246901334386001e7fe6ee029f54418a2698df0a4c964578b1183f19c9383251cdb09adcc74ec75be83

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9b418393966046b9eb6a69b7f50ff85a
SHA1 69af8c1a82a6e2415b2cc759fbf8c9d866ca6bf2
SHA256 7e3e6bad3889a32c8d072b120d1c9950f61ae32518d1d93b26b49621e2b0936b
SHA512 a0829738a6b56a8c65259af41295b8b38caff1eb2ed3df9961aac14abe888e045eac1cf1dd1cd0ae2998e5b6c1b25c9667b368445b131bb613a6c32f3efff3cd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 e7595b39009c327068bb6318db7cbf71
SHA1 2d8636542bf726c89b646d48c4c5f28a7de7b5fc
SHA256 5041f69c8ac75561c366f7a4658d8a8906f6a293d1cefb65c7cf3473443dab0c
SHA512 29c39019751ad93a574d5b694264b527c2306f5281a6937d91febdcd115c4562e45e26704c6905373133f738b1f971780aed51f3642a5cb0c5023567a1aca550

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 51f4a60d40d77f5ff6cbdaec4641fc74
SHA1 2f8515c90561e559a533b8c2482cf968b3cc6384
SHA256 c32c97ddd726578d08795e33bebf2173ad0beb7572445b87c63c95376540f2b0
SHA512 5137911a83fba0ab12300ea9c0ea35da01704c69c5b14b532d15a4060fb8fbbdc446bab2e7cae79b72531f6f5ecf5d0c939338743ce9ec187d9cbcd041269a21

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e9f08ef5b9d1d6809223a7e4948d3c6d
SHA1 5dbc36ac395f19fb4bc6027784476727258e1155
SHA256 c3424711b38b641962494624e419a7050a9348c6a68cbcb5e32765186a2ad382
SHA512 29581225ac35274d837b9aeb6996664d0fa7df2e8d5274fdeb5417a338d78468c0c2d7a137080408571d0558579329b2197068ebf85c2ad3c06f98e668b27167

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 648263a9e691dea39ec6d85e481a2287
SHA1 bf3e67cb83a39fea3bee39be0dbbef9028564094
SHA256 5be02133d1e287c7c6b9c6063cd54893e9624c7a136f69dbbd5ba91e835e23a7
SHA512 977a76aae33961cfcb2c7c0e5cd565f7c09c9bf67e4df2739e7d6bfce9a9248664147c10c9f9261d665080feaf9f2af3a1c01ea4343abd50592ae3f818683ada

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5a9694.TMP

MD5 fd653c3156e8773250f32f534b91a6b7
SHA1 3b98b67e902531934371b6df6442fb2a4128b346
SHA256 955ad5fbf980373a49f23bebfddbaddd6f897ec98c41aa23ac165430de008f57
SHA512 5d442c5ce4089e939d2a2cca2093fadfadc4c3579cf811ee737c608572d764c4f2fa2ad8456b740e02c7e9eb88f91b3a02faebd3633dcf130da44ab37e000ef9

memory/1708-1282-0x000000001B7F0000-0x000000001B800000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB1A0.tmp.dat

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Local\c1802342081e87599e32efec843d3e00\Admin@TYEBXLJN_en-US\Directories\Videos.txt

MD5 1fddbf1169b6c75898b86e7e24bc7c1f
SHA1 d2091060cb5191ff70eb99c0088c182e80c20f8c
SHA256 a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733
SHA512 20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

C:\Users\Admin\AppData\Local\c1802342081e87599e32efec843d3e00\Admin@TYEBXLJN_en-US\Directories\Startup.txt

MD5 68c93da4981d591704cea7b71cebfb97
SHA1 fd0f8d97463cd33892cc828b4ad04e03fc014fa6
SHA256 889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483
SHA512 63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

C:\Users\Admin\AppData\Local\c1802342081e87599e32efec843d3e00\Admin@TYEBXLJN_en-US\Directories\OneDrive.txt

MD5 966247eb3ee749e21597d73c4176bd52
SHA1 1e9e63c2872cef8f015d4b888eb9f81b00a35c79
SHA256 8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e
SHA512 bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa

C:\Users\Admin\AppData\Local\c1802342081e87599e32efec843d3e00\Admin@TYEBXLJN_en-US\System\Process.txt

MD5 2c8d73b60d2714ba75807c0d181fe957
SHA1 6e918526ac7344a69a3ea9c6db8b68ee9ad1e80f
SHA256 a0fb54396189db766112c3f12902cda3551b386109c4f71198cd45962ffcebdf
SHA512 60687530eeb5fbaa23024eb639843fb135e6880548b258726b7b885029d971fd7db892ae51e26baa4c016de7eadcbc24c5d2930811178000c1ab62c479fd162f

C:\Users\Admin\AppData\Local\c1802342081e87599e32efec843d3e00\Admin@TYEBXLJN_en-US\System\Process.txt

MD5 5c103651e1cb70c88a4aeb520e13af58
SHA1 3a8f938eea7afdd1592a275e19b112263d82ad4c
SHA256 1319109b175a3358614ad0670e0389fed2f38b42a3e214211ffcad05c05cae6c
SHA512 e4ce3f0bbb9e328a2a9cbe30e170accb93ad5bb6f862d30959008fef22e8cb8bf654e19f4ffa8d090fbd2e88b1c91df329964e47225f04affbcbc7141c551a43

C:\Users\Admin\AppData\Local\c1802342081e87599e32efec843d3e00\Admin@TYEBXLJN_en-US\System\Process.txt

MD5 782d28721f9ad979f3be6aacab072704
SHA1 79e488f07a5602f834b938a999da874cace66cfb
SHA256 0b35793705ce6a2357456bccd235437e0cb56fa18b8de7481f8a6b0d670cc70d
SHA512 8064c19cb3e283b357e1526107e8eb775d638ca553d731a535dcc8ea4144549782f1521c4ac2e259a95400a29a6357ee07aa23ea370b8ffe19a90ca56ae97741

C:\Users\Admin\AppData\Local\c1802342081e87599e32efec843d3e00\Admin@TYEBXLJN_en-US\System\ProductKey.txt

MD5 71eb5479298c7afc6d126fa04d2a9bde
SHA1 a9b3d5505cf9f84bb6c2be2acece53cb40075113
SHA256 f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3
SHA512 7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 bf1ef4591c44c25d4c7a60fa2723eb7f
SHA1 50de1679a34b5408815712e43674a7f43e77e063
SHA256 068d24ad70f0298ce35876fe84937e0954a15a66eec546cb4a230b0bed7824b4
SHA512 e2fd4b896d5c3eedb3b59988461de06f6ed770e84ca9c8b94519cff051500d3698eec9ef7d876c2714c8ac9bda81a5d3c8c783a4d28565ca4c01d55c9d7e33e2

C:\Users\Admin\AppData\Local\c1802342081e87599e32efec843d3e00\Admin@TYEBXLJN_en-US\Directories\Pictures.txt

MD5 598dcfb1c6ec46eda9341a5ccc9da362
SHA1 7a47156e86e61979bc3c151ace71ab0afa3c26af
SHA256 8445290e6480e587cddf8f04bad08f01efc25c11f89a324e2dd6cf973e3bc3dc
SHA512 3480590bc0ba68c38ff3e1ffbe30a4b6f7c75dee78e29f499132069e9715403b874a8ef99e0512e9f1be3a91fc24a64d1c798f7f3cf8c68fbea5fae39cb97b3c

C:\Users\Admin\AppData\Local\c1802342081e87599e32efec843d3e00\Admin@TYEBXLJN_en-US\Directories\Documents.txt

MD5 e40818fc5d55b29df61edcd600b0ae8b
SHA1 331b16ceb344dfe0c903cb337b6ddaccf2eb3e3f
SHA256 66c6d05210297060e3295458c4e0b926c42e06e51c22de2a8a15f29c6a301268
SHA512 8bca2183a676354ba743634b53aa533d14c6a7bbe3a73ba3cdac62b695406f198bc8735d552bb3648d8a21c4251ea88b331b3a0e78e43fe4bd6c8fac69fab2a9

C:\Users\Admin\AppData\Local\c1802342081e87599e32efec843d3e00\Admin@TYEBXLJN_en-US\Directories\Desktop.txt

MD5 62c90f7fda0ce69ca26b3399a4035017
SHA1 0cd6c1e515665f612960367b519ce44ef5997847
SHA256 7fb6b48b3385cac8de41de173583eab8991b7c6d9da50356cc9213212fbab72e
SHA512 c16f2e477aa423f6c70857ba0182ca70f50fa6bc0a1771115b058728db8e0a934c64fabe4f25254276619b69cbb0b2ef7856bbd29d2b39983f278ffc301d301a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 610404e2049c0b162673a69c4956f3b4
SHA1 f5faf8679691a0daf28dc01d46818e702382888a
SHA256 998a73765942bf84e17f3b140748da155e9069448cc845258ba65e48852d1a6a
SHA512 0f1a5280840ca83b37a3f551f2e74babbc6f79cbd54d91ca3f3c1ae1ab3c4ec5e227ca1a93d7642ab8e92ffb19e9ad78d375d68f3105584390ac8edcb14bfa6d

memory/1708-1475-0x000000001CF90000-0x000000001D143000-memory.dmp

memory/1708-1487-0x000000001B800000-0x000000001B80E000-memory.dmp

memory/1708-1582-0x000000001CF90000-0x000000001D143000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 54c42dd1a4d1daa72b4d978e78e140a4
SHA1 639833ebc2f0edefe782f00dc07eb42b82ff657c
SHA256 58d0b93dee5209e7097b23ab8d681d622a2c93d674f59aef4d06f264a378fc36
SHA512 1f45f59b294e1f3e694f398c35970d157458e209206fd2178d27dbd986d027f8937ec6b36ba7c8615bd29bff47be4c65c72d35980d654539f41be043afabd9d2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 266b74a61d6e82b4db5b5874ced3c859
SHA1 9968ef94a800601ba0bafba2e322ca490f6e0fa1
SHA256 ac3af9b48855a4a82530a7274b01a2258181909bed4813ceaa3ab8ece8fc9220
SHA512 1475f34034788a325eeb65cc690ff909d6ca2f0349b2edffd05af494e333b83485bd7a30511d6210036711853d55a4af6a121baadc3037a199b0bec1e5f705c4

memory/1708-1618-0x000000001CF90000-0x000000001D143000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 9f5a3b1d0cb2d2a590558ce627f26dca
SHA1 a129289e511f09753ad17aec55ab97e87fd13def
SHA256 0cf3a823fef3d6b4de96cfde01379c86e9ba97c141886a17690456cebbb61680
SHA512 443f3344f78a16da8f186b1ed0fa2e568de7abc94c9b2e6c07fee90bf8e9bca7cb8412f3a6a232f79adf8a34c5788e0c030c9f563ca45913fb6941350329369f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 9357c8fc88189181dd30e1739bd8a833
SHA1 8addc10af697b1f467e38a2f77b25db0772d334e
SHA256 0442463c8d67f40b0c961f904cbecbc1fd4904be1a8f14243ef22a5c2e138c63
SHA512 603caad114319dcc48a00857e9a9e4d17aab23d6295e34700b4c954fa4d2feacf9623a77a5615e737b1d2adde32a3fc06a99eb6faf2d8f69a1de0d1bca676eee

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

MD5 437c3cd46df3d50ceb4d27855b4c6074
SHA1 c700e0067d42001ae824c83d01e7090f56d72fba
SHA256 2a5adc8fdcc03edf961779c10944e3afbc0779531a101f3c0ffc904914d7052a
SHA512 7912239e6939bdf97ed2202f00c6a4c9308bc1c3cc12c859aa17b3413a4da7c5ce84ce7636536b9b777cd80dd259872e6d891458321bd3a434ea16fe7a618fd4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

MD5 a1ce736ad89229417351575fdb2c270e
SHA1 1695cfee188ea17d01a3782c2d99c1dbb1e2c02d
SHA256 90bb636cbfff840e0e678250bd499e74d5c81084b95cb0b7c85603a90fd4f45c
SHA512 807cbf0b1977f908dbc3c1b5bd314704ad8bff97f23bd32d705abaf2344f3e1f89100346546fcfbe300f78a4155185785a0781317e88a9df9ddf1f8243078929

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 22827e311b88a0b2a84c67dbc8a79094
SHA1 8618a9d1baa8223636fd8168d96ae1728996eeb2
SHA256 4061fa4ea354e80c26f5c4d66abe7f3f760073b44a9abf6f4f615ed1170559e8
SHA512 7993428a559a0a96d3c935c3722b21672e97b05cb1e14206c346708a2a5cb378a26206641c4a3dbd249a5762629d9150dbf3179189220866d3ecd09d87259623