Analysis Overview
SHA256
de405e80d59503bf1ac724e65aea61f0c6849311338fa120c9a01354228d0ef9
Threat Level: Known bad
The file 32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.zip was found to be: Known bad.
Malicious Activity Summary
Orcus
Remcos
UAC bypass
Orcus family
Remcos family
Orcus main payload
Orcurs Rat Executable
Adds policy Run key to start application
Executes dropped EXE
Adds Run key to start application
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Browser Information Discovery
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Uses Task Scheduler COM API
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Enumerates system info in registry
Modifies registry class
Modifies registry key
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-11 19:31
Signatures
Remcos family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-11 19:31
Reported
2025-01-11 20:01
Platform
win11-20241007-en
Max time kernel
1800s
Max time network
1775s
Command Line
Signatures
Orcus
Orcus family
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Remcos
Remcos family
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\Desktop\32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ChromeUpdater = "\"C:\\ProgramData\\GoogleDat\\GoogleUpdate.exe\"" | C:\Users\Admin\Desktop\32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\ProgramData\GoogleDat\GoogleUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ChromeUpdater = "\"C:\\ProgramData\\GoogleDat\\GoogleUpdate.exe\"" | C:\ProgramData\GoogleDat\GoogleUpdate.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeUpdater = "\"C:\\ProgramData\\GoogleDat\\GoogleUpdate.exe\"" | C:\Users\Admin\Desktop\32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ChromeUpdater = "\"C:\\ProgramData\\GoogleDat\\GoogleUpdate.exe\"" | C:\Users\Admin\Desktop\32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeUpdater = "\"C:\\ProgramData\\GoogleDat\\GoogleUpdate.exe\"" | C:\ProgramData\GoogleDat\GoogleUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ChromeUpdater = "\"C:\\ProgramData\\GoogleDat\\GoogleUpdate.exe\"" | C:\ProgramData\GoogleDat\GoogleUpdate.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeStarter = "\"C:\\Program Files (x86)\\GoogleChromeUpt\\Updater.exe\"" | C:\Program Files (x86)\GoogleChromeUpt\Updater.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\WindowsInput.exe | C:\Users\Admin\AppData\Local\Temp\dwn.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsInput.exe.config | C:\Users\Admin\AppData\Local\Temp\dwn.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsInput.InstallState | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1456 set thread context of 480 | N/A | C:\ProgramData\GoogleDat\GoogleUpdate.exe | C:\Windows\SysWOW64\svchost.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\GoogleChromeUpt\Updater.exe | C:\Users\Admin\AppData\Local\Temp\dwn.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GoogleChromeUpt\Updater.exe | C:\Users\Admin\AppData\Local\Temp\dwn.exe | N/A |
| File created | C:\Program Files (x86)\GoogleChromeUpt\Updater.exe.config | C:\Users\Admin\AppData\Local\Temp\dwn.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagwrn.xml | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\setupact.log | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\setuperr.log | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagerr.xml | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagwrn.xml | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\setupact.log | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\setuperr.log | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagerr.xml | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\GoogleChromeUpt\Updater.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\GoogleChromeUpt\Updater.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\ChromeDEV.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\GoogleChromeUpt\Updater.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\GoogleDat\GoogleUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\ChromeDEV.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\GoogleChromeUpt\Updater.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\GoogleChromeUpt\Updater.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\GoogleChromeUpt\Updater.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dwn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\GoogleChromeUpt\Updater.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\MuiCache | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings | C:\Users\Admin\Desktop\32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\ProgramData\GoogleDat\GoogleUpdate.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\GoogleChromeUpt\Updater.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\GoogleDat\GoogleUpdate.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\GoogleChromeUpt\Updater.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\ChromeDEV.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\ChromeDEV.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
| N/A | N/A | C:\ProgramData\GoogleDat\GoogleUpdate.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\GoogleChromeUpt\Updater.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.zip"
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" display.dll,ShowAdapterSettings 0
C:\Users\Admin\Desktop\32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.exe
"C:\Users\Admin\Desktop\32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\GoogleDat\GoogleUpdate.exe"
C:\ProgramData\GoogleDat\GoogleUpdate.exe
C:\ProgramData\GoogleDat\GoogleUpdate.exe
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Users\Admin\AppData\Local\Temp\dwn.exe
"C:\Users\Admin\AppData\Local\Temp\dwn.exe"
C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe" --install
C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
C:\Program Files (x86)\GoogleChromeUpt\Updater.exe
"C:\Program Files (x86)\GoogleChromeUpt\Updater.exe"
C:\Program Files (x86)\GoogleChromeUpt\Updater.exe
"C:\Program Files (x86)\GoogleChromeUpt\Updater.exe"
C:\Users\Admin\AppData\Roaming\ChromeDEV.exe
"C:\Users\Admin\AppData\Roaming\ChromeDEV.exe" /launchSelfAndExit "C:\Program Files (x86)\GoogleChromeUpt\Updater.exe" 1988
C:\Users\Admin\AppData\Roaming\ChromeDEV.exe
"C:\Users\Admin\AppData\Roaming\ChromeDEV.exe" /watchProcess "C:\Program Files (x86)\GoogleChromeUpt\Updater.exe" 1988
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004E0
C:\Users\Admin\Desktop\32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.exe
"C:\Users\Admin\Desktop\32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.exe"
C:\Users\Admin\Desktop\32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.exe
"C:\Users\Admin\Desktop\32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.exe"
C:\Users\Admin\Desktop\32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.exe
"C:\Users\Admin\Desktop\32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.exe"
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files (x86)\GoogleChromeUpt\Updater.exe
"C:\Program Files (x86)\GoogleChromeUpt\Updater.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1948 -parentBuildID 20240401114208 -prefsHandle 1876 -prefMapHandle 1868 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e73bfe01-d2f2-40be-a02a-6e8be10b0a90} 5124 "\\.\pipe\gecko-crash-server-pipe.5124" gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2344 -parentBuildID 20240401114208 -prefsHandle 2324 -prefMapHandle 2316 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a68a5cb1-ec2d-43f8-8205-ebaf5703cc89} 5124 "\\.\pipe\gecko-crash-server-pipe.5124" socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2988 -childID 1 -isForBrowser -prefsHandle 3400 -prefMapHandle 3396 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89cab717-26ab-4a74-9c75-e5333be12a0b} 5124 "\\.\pipe\gecko-crash-server-pipe.5124" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2852 -childID 2 -isForBrowser -prefsHandle 2892 -prefMapHandle 972 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ebff2389-41ab-45c3-b026-e1e46b4df658} 5124 "\\.\pipe\gecko-crash-server-pipe.5124" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4496 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4468 -prefMapHandle 4492 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0123aee-2563-46a5-b903-ddfa72b6590a} 5124 "\\.\pipe\gecko-crash-server-pipe.5124" utility
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5392 -childID 3 -isForBrowser -prefsHandle 5384 -prefMapHandle 5364 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {db705298-0b1c-4f61-b3a2-b0cc265fa9b9} 5124 "\\.\pipe\gecko-crash-server-pipe.5124" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5344 -childID 4 -isForBrowser -prefsHandle 5528 -prefMapHandle 5532 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a50eddd6-4ced-4b28-a729-8476d900cc93} 5124 "\\.\pipe\gecko-crash-server-pipe.5124" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5792 -childID 5 -isForBrowser -prefsHandle 5712 -prefMapHandle 5716 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b499b37b-38d1-474d-8541-6dabcc696b6b} 5124 "\\.\pipe\gecko-crash-server-pipe.5124" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6052 -childID 6 -isForBrowser -prefsHandle 6240 -prefMapHandle 6236 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b1542ab7-f4d6-434e-aa69-ab531c174219} 5124 "\\.\pipe\gecko-crash-server-pipe.5124" tab
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffdd7d3cb8,0x7fffdd7d3cc8,0x7fffdd7d3cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,3583689039030005955,9290957151261842297,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1852,3583689039030005955,9290957151261842297,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1852,3583689039030005955,9290957151261842297,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2552 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3583689039030005955,9290957151261842297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3583689039030005955,9290957151261842297,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3583689039030005955,9290957151261842297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3583689039030005955,9290957151261842297,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1852,3583689039030005955,9290957151261842297,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3583689039030005955,9290957151261842297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3583689039030005955,9290957151261842297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3583689039030005955,9290957151261842297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3583689039030005955,9290957151261842297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3583689039030005955,9290957151261842297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3583689039030005955,9290957151261842297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3583689039030005955,9290957151261842297,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1852,3583689039030005955,9290957151261842297,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3583689039030005955,9290957151261842297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3583689039030005955,9290957151261842297,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
C:\Program Files (x86)\GoogleChromeUpt\Updater.exe
"C:\Program Files (x86)\GoogleChromeUpt\Updater.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,3583689039030005955,9290957151261842297,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5976 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1852,3583689039030005955,9290957151261842297,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3680 /prefetch:8
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004E0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3583689039030005955,9290957151261842297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3583689039030005955,9290957151261842297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3583689039030005955,9290957151261842297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3583689039030005955,9290957151261842297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6428 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3583689039030005955,9290957151261842297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3583689039030005955,9290957151261842297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6804 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3583689039030005955,9290957151261842297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6320 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1852,3583689039030005955,9290957151261842297,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4880 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3583689039030005955,9290957151261842297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7160 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,3583689039030005955,9290957151261842297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\GoogleChromeUpt\Updater.exe
"C:\Program Files (x86)\GoogleChromeUpt\Updater.exe"
C:\Program Files (x86)\GoogleChromeUpt\Updater.exe
"C:\Program Files (x86)\GoogleChromeUpt\Updater.exe"
C:\Program Files (x86)\GoogleChromeUpt\Updater.exe
"C:\Program Files (x86)\GoogleChromeUpt\Updater.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| GB | 184.50.112.58:443 | r.bing.com | tcp |
| DE | 2.17.187.131:443 | cxcs.microsoft.net | tcp |
| CA | 198.50.242.157:443 | tcp | |
| CA | 198.50.242.157:443 | tcp | |
| CA | 198.50.242.157:443 | tcp | |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| CA | 198.50.242.157:3846 | tcp | |
| DE | 2.17.187.131:443 | cxcs.microsoft.net | tcp |
| GB | 2.18.66.177:443 | tcp | |
| GB | 2.18.66.177:443 | tcp | |
| GB | 2.18.66.177:443 | tcp | |
| GB | 2.18.66.177:443 | tcp | |
| GB | 184.50.115.104:443 | r.bing.com | tcp |
| GB | 184.50.112.58:443 | r.bing.com | tcp |
| GB | 184.50.112.58:443 | r.bing.com | tcp |
| GB | 184.50.112.58:443 | r.bing.com | tcp |
| GB | 184.50.112.58:443 | r.bing.com | tcp |
| GB | 184.50.112.58:443 | r.bing.com | tcp |
| GB | 184.50.112.58:443 | r.bing.com | tcp |
| US | 104.208.16.88:443 | browser.pipe.aria.microsoft.com | tcp |
| US | 52.113.196.254:443 | teams-ring.msedge.net | tcp |
| US | 13.107.226.254:443 | t-ring-fallback-s2.msedge.net | tcp |
| US | 152.199.19.161:443 | fp-vs-nocache.azureedge.net | tcp |
| DE | 2.17.187.131:443 | cxcs.microsoft.net | tcp |
| GB | 184.50.112.58:443 | r.bing.com | tcp |
| GB | 2.18.66.177:443 | tcp | |
| GB | 2.18.66.177:443 | tcp | |
| US | 104.208.16.88:443 | browser.pipe.aria.microsoft.com | tcp |
| N/A | 127.0.0.1:49968 | tcp | |
| US | 34.149.97.1:443 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | tcp |
| US | 34.149.97.1:443 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| N/A | 127.0.0.1:49975 | tcp | |
| US | 151.101.195.19:443 | www-mozilla.fastly-edge.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.187.250.142.in-addr.arpa | udp |
| US | 35.190.72.216:443 | prod.classify-client.prod.webservices.mozgcp.net | tcp |
| US | 35.190.72.216:443 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| GB | 142.250.180.14:443 | redirector.gvt1.com | tcp |
| FR | 23.210.249.26:80 | a19.dscg10.akamai.net | tcp |
| GB | 142.250.180.14:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r2---sn-5hnednss.gvt1.com | udp |
| NL | 172.217.132.199:443 | r2.sn-5hnednss.gvt1.com | tcp |
| US | 8.8.8.8:53 | 201.181.244.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.72.190.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.249.210.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.132.217.172.in-addr.arpa | udp |
| NL | 172.217.132.199:443 | r2.sn-5hnednss.gvt1.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| GB | 184.50.112.58:443 | www.bing.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 184.50.115.104:443 | www.bing.com | tcp |
| GB | 184.50.115.104:443 | www.bing.com | tcp |
| GB | 184.50.115.104:443 | www.bing.com | tcp |
| GB | 184.50.115.104:443 | www.bing.com | tcp |
| US | 104.16.150.108:443 | techcult.com | tcp |
| US | 104.16.150.108:443 | techcult.com | tcp |
| US | 151.101.65.181:443 | scripts.mediavine.com | tcp |
| US | 151.101.65.181:443 | scripts.mediavine.com | tcp |
| GB | 172.217.16.226:443 | securepubads.g.doubleclick.net | tcp |
| US | 151.101.129.181:443 | scripts.mediavine.com | tcp |
| DE | 52.58.61.54:443 | exchange.mediavine.com | tcp |
| US | 192.124.249.31:80 | certificates.starfieldtech.com | tcp |
| US | 8.8.8.8:53 | 38.201.222.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.249.124.192.in-addr.arpa | udp |
| GB | 184.50.112.58:443 | th.bing.com | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| GB | 184.50.112.58:443 | th.bing.com | tcp |
| GB | 216.58.212.238:443 | www.youtube.com | tcp |
| GB | 216.58.212.238:443 | www.youtube.com | tcp |
| GB | 216.58.212.238:443 | www.youtube.com | tcp |
| GB | 216.58.212.238:443 | www.youtube.com | udp |
| US | 8.8.8.8:53 | i.ytimg.com | udp |
| GB | 142.250.178.22:443 | i.ytimg.com | tcp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| GB | 142.250.200.34:443 | googleads.g.doubleclick.net | tcp |
| GB | 142.250.187.230:443 | static.doubleclick.net | tcp |
| GB | 142.250.187.230:443 | static.doubleclick.net | tcp |
| GB | 142.250.200.34:443 | googleads.g.doubleclick.net | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 172.217.16.225:443 | yt3.ggpht.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 172.217.16.225:443 | yt3.ggpht.com | tcp |
| GB | 142.250.200.10:443 | jnn-pa.googleapis.com | tcp |
| GB | 142.250.200.10:443 | jnn-pa.googleapis.com | udp |
| GB | 142.250.179.238:443 | play.google.com | tcp |
| GB | 142.250.179.238:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 238.179.250.142.in-addr.arpa | udp |
| GB | 216.58.212.238:443 | www.youtube.com | udp |
| BE | 142.251.173.84:443 | accounts.google.com | tcp |
| BE | 142.251.173.84:443 | accounts.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| AU | 74.125.152.6:443 | rr1---sn-ntqe6nes.googlevideo.com | tcp |
| AU | 74.125.152.6:443 | rr1---sn-ntqe6nes.googlevideo.com | tcp |
| AU | 74.125.152.6:443 | rr1---sn-ntqe6nes.googlevideo.com | tcp |
| AU | 74.125.152.6:443 | rr1---sn-ntqe6nes.googlevideo.com | tcp |
| GB | 142.250.179.238:443 | www.youtube.com | udp |
| GB | 216.58.213.14:443 | www.youtube.com | tcp |
| AU | 74.125.152.6:443 | rr1---sn-ntqe6nes.googlevideo.com | tcp |
| AU | 74.125.152.6:443 | rr1---sn-ntqe6nes.googlevideo.com | tcp |
| GB | 184.50.113.65:443 | aefd.nelreports.net | tcp |
| GB | 184.50.113.65:443 | aefd.nelreports.net | tcp |
| GB | 142.250.200.3:443 | ssl.gstatic.com | tcp |
| US | 172.217.131.231:443 | rr2---sn-q4fl6nsy.googlevideo.com | tcp |
| US | 172.217.131.231:443 | rr2---sn-q4fl6nsy.googlevideo.com | tcp |
| US | 172.217.131.231:443 | rr2---sn-q4fl6nsy.googlevideo.com | tcp |
| US | 172.217.131.231:443 | rr2---sn-q4fl6nsy.googlevideo.com | tcp |
| US | 172.217.131.231:443 | rr2---sn-q4fl6nsy.googlevideo.com | tcp |
| GB | 142.250.200.10:443 | jnn-pa.googleapis.com | udp |
| US | 172.217.131.231:443 | rr2---sn-q4fl6nsy.googlevideo.com | tcp |
| GB | 142.250.179.238:443 | www.youtube.com | udp |
| GB | 216.58.212.238:443 | www.youtube.com | udp |
| GB | 216.58.212.238:443 | www.youtube.com | udp |
| GB | 216.58.212.194:443 | googleads.g.doubleclick.net | udp |
| GB | 184.50.113.65:443 | aefd.nelreports.net | udp |
| GB | 216.58.212.238:443 | www.youtube.com | udp |
| GB | 184.50.113.65:443 | aefd.nelreports.net | udp |
| GB | 184.50.113.40:443 | aefd.nelreports.net | udp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| DE | 2.19.96.120:443 | th.bing.com | tcp |
| DE | 2.19.96.120:443 | th.bing.com | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| GB | 2.18.66.177:443 | tcp | |
| GB | 2.18.66.177:443 | tcp | |
| US | 150.171.22.254:443 | ln-ring.msedge.net | tcp |
| US | 104.208.16.88:443 | browser.pipe.aria.microsoft.com | tcp |
| US | 152.199.19.161:443 | fp-vp-nocache.azureedge.net | tcp |
| US | 4.150.240.254:443 | arm-ring.msedge.net | tcp |
| DE | 2.19.96.128:443 | th.bing.com | tcp |
| GB | 2.19.252.134:443 | aefd.nelreports.net | udp |
| GB | 2.19.252.134:443 | aefd.nelreports.net | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
| MD5 | ce1a2b6663532b46722d4bc7cfc2908a |
| SHA1 | 8bb339ed9da1b468532dd7206091590b96672829 |
| SHA256 | 2c292df42df335844bcfe2b5eb1149500bc595e4db18c1cc1beaa31535b257dc |
| SHA512 | a77b4a32880de8374ec0a258175e12fd7caa9b56df30ff523e80dbcfc0f179ced17c1c33d85b1bc55461c2982e36caecd0a2975884a9dec7bc9a6dd53c0e2307 |
C:\Users\Admin\Desktop\32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.exe
| MD5 | 991e707e324731f86a43900e34070808 |
| SHA1 | 5b5afd8cecb865de3341510f38d217f47490eead |
| SHA256 | 32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153 |
| SHA512 | 07411dffbc6beff08a901afa8db3af4bc7d214407f7b20a8570e16b3900f512ad8ee2d04e31bb9d870585b9825e9102078f6c40eb6df292f09fffe57eea37f79 |
C:\Users\Admin\AppData\Local\Temp\install.vbs
| MD5 | bb683902f4d897285b9eb79d71a86df6 |
| SHA1 | 6ca60977902f02b72afd24caa65be77d06692b09 |
| SHA256 | 1829d2480ab6bbfe942aadf34cb74ccd651427d10a9b51b222923fb921ebfc70 |
| SHA512 | edbb9b416ad84ce216ed18db11cbed0b46a079b7b2463e942b809a8a2fe5540eb1101114c5d0944da383c02617dec1017df1235949caf24eb515550f456eaeda |
memory/480-33-0x00000000010B0000-0x000000000112F000-memory.dmp
memory/480-34-0x00000000010B0000-0x000000000112F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dwn.exe
| MD5 | 233df6b3803532e93dc307f6739dbcfc |
| SHA1 | 33d32253477f35e01763207b59d60fdaa3f24581 |
| SHA256 | 1b0f1c3f410211b515d0f61bb0c9fcdbf71287fe73a0feb2ba27a9e51ffdee02 |
| SHA512 | 0d1bd2ab3a37bd3840121001097de98ec8680e79bbc3edcaf4bd77e0b115b5e9fb6945f5897172c554a44ffdbfc8af4afa9914ec11c8259322e927a8c49ef345 |
memory/4480-47-0x0000000000CF0000-0x0000000000DDC000-memory.dmp
memory/4480-48-0x0000000003240000-0x000000000324E000-memory.dmp
memory/4480-49-0x0000000005870000-0x00000000058CC000-memory.dmp
memory/4480-50-0x0000000005ED0000-0x0000000006476000-memory.dmp
memory/4480-51-0x00000000059C0000-0x0000000005A52000-memory.dmp
memory/4480-52-0x0000000005EB0000-0x0000000005EC2000-memory.dmp
memory/4480-53-0x0000000005EC0000-0x0000000005EC8000-memory.dmp
memory/4480-54-0x00000000064C0000-0x00000000064E2000-memory.dmp
C:\Windows\SysWOW64\WindowsInput.exe
| MD5 | e6fcf516d8ed8d0d4427f86e08d0d435 |
| SHA1 | c7691731583ab7890086635cb7f3e4c22ca5e409 |
| SHA256 | 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337 |
| SHA512 | c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e |
C:\Windows\SysWOW64\WindowsInput.exe.config
| MD5 | a2b76cea3a59fa9af5ea21ff68139c98 |
| SHA1 | 35d76475e6a54c168f536e30206578babff58274 |
| SHA256 | f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839 |
| SHA512 | b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad |
memory/1176-68-0x0000000000950000-0x000000000095C000-memory.dmp
memory/1176-69-0x0000000002B60000-0x0000000002B72000-memory.dmp
memory/1176-70-0x000000001B4D0000-0x000000001B50C000-memory.dmp
memory/2156-75-0x0000000019EF0000-0x0000000019FFA000-memory.dmp
memory/1988-91-0x0000000005210000-0x000000000525E000-memory.dmp
memory/1988-93-0x0000000005AD0000-0x0000000005AE8000-memory.dmp
memory/1988-94-0x0000000005E70000-0x0000000006032000-memory.dmp
memory/1988-95-0x0000000005CB0000-0x0000000005CC0000-memory.dmp
memory/1988-96-0x0000000005DB0000-0x0000000005DBA000-memory.dmp
C:\Users\Admin\AppData\Roaming\ChromeDEV.exe
| MD5 | 913967b216326e36a08010fb70f9dba3 |
| SHA1 | 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf |
| SHA256 | 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a |
| SHA512 | c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33 |
memory/1520-110-0x0000000000C10000-0x0000000000C18000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ChromeDEV.exe.log
| MD5 | bb27934be8860266d478c13f2d65f45e |
| SHA1 | a69a0e171864dcac9ade1b04fc0313e6b4024ccb |
| SHA256 | 85ad0d9909461517acf2e24ff116ca350e9b7000b4eefb23aa3647423c9745b4 |
| SHA512 | 87dd77feac509a25b30c76c119752cc25020cca9c53276c2082aef2a8c75670ef67e1e70024a63d44ae442b64f4bc464aee6691e80c525376bb7421929cfa3bb |
memory/1988-116-0x0000000007030000-0x0000000007096000-memory.dmp
memory/1988-117-0x00000000076C0000-0x0000000007CD8000-memory.dmp
memory/1988-118-0x00000000070A0000-0x00000000070B2000-memory.dmp
memory/1988-119-0x0000000007100000-0x000000000713C000-memory.dmp
memory/1988-120-0x0000000007140000-0x000000000718C000-memory.dmp
memory/1988-121-0x00000000072C0000-0x00000000073CA000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | 1e7dd00b69af4d51fb747a9f42c6cffa |
| SHA1 | 496cdb3187d75b73c0cd72c69cd8d42d3b97bca2 |
| SHA256 | bc7aec43a9afb0d07ef7e3b84b5d23a907b6baff367ecd4235a15432748f1771 |
| SHA512 | d5227d3df5513d7d0d7fb196eef014e54094c5ed8c5d31207b319e12480433f1424d49df759a7a2aefc6a69cef6bf2a0cc45d05660e618dc2ec9a2b082b7b5f7 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\01087e0e-629f-428f-aaa0-9f7b01e8009d.down_data
| MD5 | 5683c0028832cae4ef93ca39c8ac5029 |
| SHA1 | 248755e4e1db552e0b6f8651b04ca6d1b31a86fb |
| SHA256 | 855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e |
| SHA512 | aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-1-11.1933.5068.1.odl
| MD5 | 3ae746aa681cf9663411f3765bdef92c |
| SHA1 | 8276ba34a9e7d37bc20099fe6b478fcd3b9d024b |
| SHA256 | 27dd02259173074a8ab6a6e37c5ace352cb645342c83191887205957507b1bd2 |
| SHA512 | ac5025bc69b9232a85f0541e1a4064779a2e871dcd83bd55f03646a7ac66cfe3e3c8a3b077c2d54ff7d1b727bbc98dfe37607f6bb5aba0369370caef7a64ab22 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Updater.exe.log
| MD5 | 23095077e59941121be408de05f8843b |
| SHA1 | 6a85a4fb6a47e96b4c65f8849647ff486273b513 |
| SHA256 | 49cc85a6bad5faf998eae8f1156e4a3cdd0273ff30a7828f5545689eb22e3fe5 |
| SHA512 | 05644cd4aa2128e4c40993e4033ae3102705ee27c157d8376180c81e58b61c2801ca8deed6a256c79bc409e40f9ab5c66e2b2492f6c60871fb575eb6cce73211 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\datareporting\glean\pending_pings\4cd68eba-d3da-4ca2-a4e5-c3dc93187bc1
| MD5 | a99b0472738612ede074ed75235fc8d8 |
| SHA1 | 34ac97811fcdd0769b0879e0a1df1582a79874bb |
| SHA256 | 06364204e9fdecda40cd094757b14d0befda0b5d7cf5c62dddf1efc98c0acf32 |
| SHA512 | 94f0ce984852a39a47a0a01d716f86db09a0a68d1eac5f2ffaf016af74929c86f80cf68ade8b8fbd6f8e498d90d8a93d823bc969e5bcd9910b657a8f9bc85523 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 8731ea5ca0f379fbc7f7aa5be9cc9989 |
| SHA1 | d0e1d196f80d6938bd319da00cd2647e61bc36a6 |
| SHA256 | d0761970db711d156e3b076628e6d0bab167c5d79c72576e51de67e33105dd33 |
| SHA512 | 7cc528196fac6c301301ff8229c5d019da7c5dff01f6f76ad76178e2ffc9a7a31fe1bebbd2fc1eb0c13c54001b933dab87928102802fb50cff92a3288aaaecf5 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\datareporting\glean\pending_pings\a56f9162-53ca-4415-8188-eb464f5f21a1
| MD5 | bff14d9ef6d521cb449006baae6450a7 |
| SHA1 | 5a70f0f4fd07863753bc2a134340b1351de8ac9a |
| SHA256 | ff4cede1120cd0cfff357a5704596495d8c4608f2c6629609ee599e2f04eabb1 |
| SHA512 | 119aea8470687c597ab2f05fc318b24e7c176c6cf6ea01424377f8c297c931bea83cfa220bb34093b9f4fe4e5ef9d9878a176a0581a1cf7d8f4c942bccbc4354 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\datareporting\glean\pending_pings\7f34c377-b4c0-46b7-8003-2acfb1682fbf
| MD5 | 7cdc81b295da78f56af7f32266b0a096 |
| SHA1 | f6618e36026e757a76968dd492d146b671ad24bf |
| SHA256 | 98a84f212e0ff0058b2a135adfaaf2853d11a9d9bc77bbafc377f8533555d977 |
| SHA512 | 9c6e52262fbb1224df2f47c1ac5fe69c5b289c8ea53ec1fa92c346de22f40d983a5309361e00340f43840523582a2a3e8a5217b97ea2eb088a2fa4e2c14af24a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 27a7f17e4193a7cea1705e86513fbefb |
| SHA1 | b82c20be6e6142800dcbeac5a4a82f7cedad97d4 |
| SHA256 | f4a1a52a76c7a23fd50f64ae02045791ba2cf49cc1624fc8f8963f0251f7d501 |
| SHA512 | b30d7a4c815caef1c6e34857aec8161559122ed1446797b906b760a96e763491c54abc343a31040af49af46134db7204f38086ac532f852aa11cae21db967cb7 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\odgo8eah.default-release\activity-stream.discovery_stream.json
| MD5 | 420c7216e35383fcbcc9cef62be7016e |
| SHA1 | 5c4bd878561229b42ea196854564f1b95a286867 |
| SHA256 | c1cb71868294296b796ef8fabc75926bff60792365c11351bfd6cb1ad74c1107 |
| SHA512 | b8f77cc6bf9dfe01d3d5b6f05d6298b6275f4b009d0c6e2c698311ebe7a860488ec4815e48312e5e0bf3cbcffa72cf776a116dea869f1e46ebcda9394c21d171 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\odgo8eah.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
| MD5 | 96c542dec016d9ec1ecc4dddfcbaac66 |
| SHA1 | 6199f7648bb744efa58acf7b96fee85d938389e4 |
| SHA256 | 7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798 |
| SHA512 | cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\prefs.js
| MD5 | 1d668de2435673593bb20e7a463572d4 |
| SHA1 | bdcb850d46c752cb83498edc32d161d4d621697d |
| SHA256 | 1cd8d6ac20a062537e558f5019f836a4bd0b198d40460d6c4e202b98cf25f405 |
| SHA512 | 50501f40cf37d5fc0eae7061a6cf51a50bbb421ad4a42ccf6bcfcbf2d332f2aa6b439e52258d439486662da3f63ba3c24ebdbc0340db06822c5ad08a50331eaf |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | 9fc8f756e7109adfcefee2f252c8300b |
| SHA1 | 88f20402cb6802b94589612c110a2993862e7483 |
| SHA256 | 567b38083f0484e12bb49e9c083f8d2f325ff1636ad6c387f002b0508a8b7100 |
| SHA512 | c2ac8a2bc4e3d2cb35ad22336e3dfb04f136d4491e532a78cbbdb6f9e0331c88031f4be1e8e307c2cfddd7aaca7ea59adde777d39bd8ab4915a5abb8c0bb3092 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\AlternateServices.bin
| MD5 | 4af83e13f5d8a5529bb2c6cd1499da5f |
| SHA1 | 65d79b9d720639c7560f058c6538cea0ec691a4e |
| SHA256 | d319a87ffc1e34cd7309fc2c22327e592da4a8ef69c345836b0b3c7ce993e932 |
| SHA512 | f10a9be7269f1f7e6f2f045bdb91dfdd22b299dadf7c8841bc6f9d2ee405b3bacad284bf7c465397742cfaadf0aa8171b42c3dd459d03d5e5256d7da2179ab30 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\odgo8eah.default-release\cache2\entries\B12380E59E366D551CA91542483B50A71D3DB16C
| MD5 | b465fdf0f379fd4f65414f3b27b36d2c |
| SHA1 | 3a7eefaa1c773f06a461107673dc3c36aa34f77b |
| SHA256 | 40c4cf16f27c96db07f045d7683fb26bd5d8b0917ee004202428733c68adb4b5 |
| SHA512 | c9e7f850d6b900b12ea98fdcd25fabd0e4cef194cef940797c912fc3dc113b4fd7c9f8b0b0068af1b7f38b559f4ee366b6d8eafadde8ff921fbf80ca2bf79794 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 997e5015e367f49d05206e84db9d1ac1 |
| SHA1 | 6533437b7fbb18ce828ab1f13d76ff1b8cbee78d |
| SHA256 | 766bf302f6c0636cfc4acdb8919c761948a53168b42af40a56956cf9161bb0bc |
| SHA512 | 50e69606de0a7716bff59692e13bfca0cc0371d629e69b31519e519db95f8b58c43cabce355d766cf61a4607c3fb80fbb42bded000d8cba7803e8da72403bb88 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\prefs.js
| MD5 | a596d8b16b1c94deda6f35160816105e |
| SHA1 | 8764eb740632b21c245e7943733ab133ab293c8d |
| SHA256 | 4614c8c77a65283ff1208d97999f723ea276ac484c7fa76ead80e381490f9a01 |
| SHA512 | 01f0cfc6b4a1959559ed4a4490c0d5ecc6c417f0a20a6e74e9c095d715e18017cac8c83c632feaafc3c42640becfbeb3d2d2995bd58dd6ed78e71293326c90af |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 09372174e83dbbf696ee732fd2e875bb |
| SHA1 | ba360186ba650a769f9303f48b7200fb5eaccee1 |
| SHA256 | c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f |
| SHA512 | b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
| MD5 | 2a461e9eb87fd1955cea740a3444ee7a |
| SHA1 | b10755914c713f5a4677494dbe8a686ed458c3c5 |
| SHA256 | 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc |
| SHA512 | 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
| MD5 | 842039753bf41fa5e11b3a1383061a87 |
| SHA1 | 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153 |
| SHA256 | d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c |
| SHA512 | d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\AlternateServices.bin
| MD5 | b745f2e873b5bca7e505b8ca15b8dae6 |
| SHA1 | 78335c220399a7ba4c2fda6deedf4611f562b04d |
| SHA256 | de6dc2f625659ca97c7e2561c9e7f5496effe82db15b96b9ff7cf5847f24e72e |
| SHA512 | 4b160f17a01beb862b7e6cab6a87f91d0eec0ebd3cdfaee88901f01f65f0d1fc2abecff0c4a857a555f315864806a42de54e345206ea4ccb8ee2de12d9fbead4 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | 0a8747a2ac9ac08ae9508f36c6d75692 |
| SHA1 | b287a96fd6cc12433adb42193dfe06111c38eaf0 |
| SHA256 | 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03 |
| SHA512 | 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
| MD5 | bf957ad58b55f64219ab3f793e374316 |
| SHA1 | a11adc9d7f2c28e04d9b35e23b7616d0527118a1 |
| SHA256 | bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda |
| SHA512 | 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
| MD5 | daf7ef3acccab478aaa7d6dc1c60f865 |
| SHA1 | f8246162b97ce4a945feced27b6ea114366ff2ad |
| SHA256 | bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e |
| SHA512 | 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\prefs.js
| MD5 | 5d789323f91c99aa9d318109eb491aaf |
| SHA1 | 442fb1cf790894e760f6277d520d03e60028ef8c |
| SHA256 | 79a7087b0e7ced52ab83144fa860202d70feaeb0d57f521a4b5ba0d71676b1b0 |
| SHA512 | 41aff4cdceabc9b85412726dbd9afd0dde570c6104f648ea9414fcef59517015a2eba7cc20ddeb910f70dcfe3ca689117107f83775a7ecbf0837d3c459da74cf |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 26764abbf6dc8b54e2519a97707e2b8c |
| SHA1 | 0aee876b8ef5a4bbab632020aa370a6b3876d3ed |
| SHA256 | 88b4c8c937a16b47fe5c19a79568b409102bfefa069f073fac99d604a1b8ee92 |
| SHA512 | f8ab6b0454212e659c06205a0a06cda43ec4285652dd9e9c1b9cd01b13f485e990181341d6490c9d71491a20a12ed6675b980985376bb9d82d91c60d5fc0e960 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\sessionstore-backups\recovery.baklz4
| MD5 | f4645fc6a079894546d81daff0811715 |
| SHA1 | 46c42e26670525d61f5c9ef3e005732b60ffaaf8 |
| SHA256 | fd0c49218a5c7f6aee7e32e5ab5062bb492cad1b9bdb9d2b4c00d047e013971d |
| SHA512 | b53502997d7f05e50e0eb747d256cae0f917268e1ef9ec4bf2dcace3620305b172906780b5cefed03aaebbaa7f6cf9736c18f834c3cb57212626b97ebe133850 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\sessionstore-backups\recovery.baklz4
| MD5 | dc1118e2244a252a46e2588b195a1de0 |
| SHA1 | 9d6d16a4bd04de7e6715d50d0e504136e856849a |
| SHA256 | 21724a3acfa85660c4f617386fd29bc5add8435a577dcb3888c30a6267611b69 |
| SHA512 | 963349814401785dda603db0eb89a94f7bcad848a6c97caa3aad677ef906de411989dd324cf60bfcaf14d125870e60fc486bab791cc4ad13b36cf259f2e63ddf |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\sessionCheckpoints.json
| MD5 | 2d87ba02e79c11351c1d478b06ca9b29 |
| SHA1 | 4b0fb1927ca869256e9e2e2d480c3feb8e67e6f1 |
| SHA256 | 16b7be97c92e0b75b9f8a3c22e90177941c7e6e3fbb97c8d46432554429f3524 |
| SHA512 | be7e128c140a88348c3676afc49a143227c013056007406c66a3cae16aae170543ca8a0749136702411f502f2c933891d7dcdde0db81c5733415c818f1668185 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 4984c895ab52baab4de6bc0684b76e26 |
| SHA1 | 56824d33099afd075a93d3cb65df956c4cd0b2cb |
| SHA256 | 3e0ffa546435702f5850545243c68996f91c7ebae295a3fe4924672a945d0a57 |
| SHA512 | 33662536ea40881bfbfd46988d92ff4a6ca8ee31e0f6081aa9dd207ab51ed7accfef5844444f7b6be698d37448c7d92bba9084c6b60a3ed7ced8baccd58fe0d8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | cb557349d7af9d6754aed39b4ace5bee |
| SHA1 | 04de2ac30defbb36508a41872ddb475effe2d793 |
| SHA256 | cfc24ed7d1c2e2c6585f53db7b39aa2447bf9212487b0a3c8c2a7d8e7e5572ee |
| SHA512 | f0cf51f42d975d720d613d09f201435bf98c6283ae5bc033207f4ada93b15e49743a235a1cfb1b761bde268e2f7f8561aa57619b99bff67a36820bc1a4d0ec4a |
\??\pipe\LOCAL\crashpad_5064_IDXCFBQKUJHNNPIP
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | aad1d98ca9748cc4c31aa3b5abfe0fed |
| SHA1 | 32e8d4d9447b13bc00ec3eb15a88c55c29489495 |
| SHA256 | 2a07cac05ffcf140a9ad32e58ef51b32ecccf1e3ab5ef4e656770df813a8944e |
| SHA512 | 150ebf7e37d20f88b21ab7ea0793afe1d40b00611ed36f0cf1ac1371b656d26f11b08a84dbb958891c79776fae04c9c616e45e2e211d292988a5709857a3bf72 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 99da623b50b957a73bf6de851ce2fc55 |
| SHA1 | 42731bd51e60a2c1b6a8d7fb22e4f209a158dbcf |
| SHA256 | 6e1253b8ccd6fe8764fac31f919df3970a025253a4d26bd13fed7e266b83ba71 |
| SHA512 | a405be76ac48bcd0abac0537d0e4ae28d765b770fca17bbeefc9255ba5cda6f7c4bd4368604df4bac5f4aca973513d6cb78638c95a314588017f4bb356e200f5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | ad224e4c165f2b696df3a4ba0ed3e2d2 |
| SHA1 | 07878e9df0fa19ffc0a68a1df63edd5b3aa838da |
| SHA256 | 3dd4bdc72b318af6a7f16b2068120bbefa2f3f844ba6db64a887de8ed16565be |
| SHA512 | 377e0f438abbb44d825a38a14a48f8eb0cfd3fcdb3ebf285b2ab0223af95c91d8355b79413d2b68ddbb5b97b3647129a8c12a599f6af34d6287acda3465e2dbc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 16405a725f145184389d99e2503b78d1 |
| SHA1 | 89416dba6cf3e3a51ea1b8e297d86b47c0d8e64f |
| SHA256 | 089eee0dff1e60d7f8c372fdacbdc21968db04bb6462a0aeb79cb10a4280efb9 |
| SHA512 | 2696398a6790625a36499d6334c8afd7df046e2cdff85cc62e8ec8cc1c488167565b54214699e392511130b711a6ce166da27e09abf05bdafada869213793e2d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 5c3a44d094e9a4bf11683c98992a2e2e |
| SHA1 | aae0fd8312d32baf6ffda6293c9362a0358f6abc |
| SHA256 | d4528bf57ffb89d42b51764218a4224644a078ace8d58f2ae833f4ab831a32b0 |
| SHA512 | e1826fe22380e483344ab0a8276626955f5655961983b3e56fdf4a1615ccc665ee67beef68b2baf16ae7a891d020e4be608b2aea3cfcc8f3e4389b06b4bac0d3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe62cc05.TMP
| MD5 | bb701565d109f74c4755ff69a76d19bd |
| SHA1 | d35f89e49c624319b296b13a31c09e5cfcf77684 |
| SHA256 | 5dbad8665b48d05f454c61b1cae4257177763ffab8e30fba9a149e1c0be3086c |
| SHA512 | cac736523451fa5b99860644deb90e235ed21eedd7ffb0dd9065084247b18b43b97eff7706e53ebe92debf260516951e0bdcc984f7ef19ce5e81b005585f8a80 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 73cca955df1d4bda609b6f1ba2d5c052 |
| SHA1 | 9c32f8bb2f025b8bb01c211b08a89747719d9b75 |
| SHA256 | 1c44c236bab7c2b7ff574afa7bf29bd96f5a0024e72882df19ed49fd9c4b4adb |
| SHA512 | cc8c1536611c08174d1885b53589f5eaaaf21ec82511d519b3b23c1f2752c5fd0c55df731111373c7d92fcacdceec61371253e496eec7f95eb79c582d690d54c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | d56dce8a22fad76a4bee7ec002220d42 |
| SHA1 | ba7da25eab2b71a5d9df75492e7ccd09cf751e88 |
| SHA256 | 64ac763fbc6aafd979a89095de02bd1add4113e954ec3dcfa692673c7c4f8d79 |
| SHA512 | df68538f1ca92192e54a5d1b953544e7a681ae08bc75fe13609ed77c57d652596b14cde1ff51a9c39eab90967044168754363bd1813dceed3ce0eecf27d93cdc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | c0ec439f896264a7a279299061da1325 |
| SHA1 | 32248cded98827113447a43769f3a1a0383bffc6 |
| SHA256 | 7d808a2a93a12299747935f77418c5cf9182cddcdf3e1039cbd236462fb477e4 |
| SHA512 | beabdfd86dca2df38a29245b63c5a472fce9f33b4f48b08e7ad20d9d46eb5b7b1885d39a0b538248ffe5a591ca15c7ab1ebe68d23b16bfd9ad66b819820aebbc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 432941ad815a98026216f794ee3b6476 |
| SHA1 | 02f3d2856c7b5c578164312f6f0ecbf304347592 |
| SHA256 | 5c77fc065c36598ae792255defc4f3c18a97f68768e6de0d9fddf0263314cac1 |
| SHA512 | a677922fdfc13cac84e2281c96769a9251cb0d7df7cff5b32ffc171824c734b54fb783b3a24715011100a0e8ef824f9e007a4c90723963861ebb657f5a2dbf9b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | de9272cad14fd384287738c8e8da2942 |
| SHA1 | efc8ed2e386b375b62daee86bc54de7fd3cc1fb6 |
| SHA256 | 946448e18ff037b473574e9c118752500c389e2d1abd68cd7930a60307e09098 |
| SHA512 | 35cfe59cda90d148d0886af19f6e6868dff6add6617da68cae4998e8472c2e0aa118d4a6ae782d41c7caf99b34640aca244292c4a3266219facfc1e88dbb1834 |
C:\ProgramData\bootdata\logs.dat
| MD5 | 9265097cd89ae9394e75738dd38ded73 |
| SHA1 | 95244fbf057894ecff4379ab3bbcfe5b638819e2 |
| SHA256 | 2874c849a84a2dee281fd8c52dfc9d03c4ce175c0f913045d0db77ed24e8a538 |
| SHA512 | 2997a374ad0ed08bfda419072d4d796f17e0202f9e7513ea2b62e2cbebf834376ee7989933652a6782ebffac33dce09210be9026018570c26d87f4343b8d0c71 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004
| MD5 | 69df804d05f8b29a88278b7d582dd279 |
| SHA1 | d9560905612cf656d5dd0e741172fb4cd9c60688 |
| SHA256 | b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608 |
| SHA512 | 0ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003
| MD5 | d6b36c7d4b06f140f860ddc91a4c659c |
| SHA1 | ccf16571637b8d3e4c9423688c5bd06167bfb9e9 |
| SHA256 | 34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92 |
| SHA512 | 2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 52d8858cc9c17e996d940db85aa1c11d |
| SHA1 | 1322a531bb5986aa9fa4968a07c7b7e157935603 |
| SHA256 | 96705d306c62abfd60eb9adc42dd17af0a38f164d1462c6a41199741d203c2d3 |
| SHA512 | 58dee430741cc64e9882fc01a6a539bd6d41e81e805103e468010f4d2642828b880656878c16f74b6ec0e325e762c69229ec19eb5c02becf29a703f23ce489f8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | de26ddb9b2cc9d122a6d175a045c6681 |
| SHA1 | d98ef4e9fb466ffdd7fd265dc7111f068212b034 |
| SHA256 | b38df85c1ed330b27de17470550b7dfdf04d148fb3603d6a2e8d77fb36edfc1f |
| SHA512 | 3663d05a41922b47c3cfba7d4d6d0e4179aa27734de1c1f6f3566956039dd3c63396ce7126736b25f7e042fe0d90dc23dbefee8a6d744521fb10c2caf09085ca |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | 695a98dccc7dd867090372a5e2430958 |
| SHA1 | 2db3c5c5c6a4cfcda452c79f78ff1cec3ce8c04c |
| SHA256 | 626ec60b9bd899a503f5f7ec82d4c53f193fe5bbd77b06eec627293fce97c96e |
| SHA512 | bdb0a090dd6dc2e9f2555ce2339b655640d821b9941a6913d4241631f8eb92f305042cbe4b00d34e82b045655929fbd98f9241303f2c3dba2f3f110dc12cf6e6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | e506bf1729d6c46d4f182d0e7450368a |
| SHA1 | 90dac29f13a0b6916524585acd9c0c39208d1f94 |
| SHA256 | 69fe452af53baab3efa6f985e56119f03b8ec09828804eea953caa42eb076bde |
| SHA512 | 1d0164872a979df978df0f05918bed8a7ed43cc7959b5919793bbce7e4f70cee6a3fdec25483da931d64e643d85be18e96ea137911d75a8917869dd6a8d53660 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Platform Notifications\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | f69bfd582304bed1ab3013fdef2dd9a3 |
| SHA1 | 1c482e6685957d34a1c54cc9b760f040ba1ab5ae |
| SHA256 | f5d414df27a6b993ef539aacffd2063af05e06201297108a215db6d18ec7ed66 |
| SHA512 | fb6b784e2ee8479de8d09291bb79762c345894fa91f3dddf181921668ca79170c7b854767717d5a7db9058907df040d2d4e56db05dcec120af8fd19b1f454404 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\f6accfcc-d7f5-4f8c-8af6-c373e95adf58\index-dir\the-real-index~RFe653b8e.TMP
| MD5 | d4e436194c759413c30c22e8037b0e42 |
| SHA1 | cb140d8343b633e99f4c5ce2bd5f098dc4b4acde |
| SHA256 | 0271c87e7a316cbde47a0334d59140741770c02f3b3704f8749728f796b6595a |
| SHA512 | 3e2b79b86aa1a39966e5b05bc7aa4a645aeedccede7e562143363f8405176a57ea2d8a2b68d2d472860d4ed3eea34acf4a303f76829c4a3b5def2cf6af0950f0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\f6accfcc-d7f5-4f8c-8af6-c373e95adf58\index-dir\the-real-index
| MD5 | 99b974b96a73bfc92f0c11764aeefa2b |
| SHA1 | 171a25f726522733c6eab5bc1fea3fcbea3ef718 |
| SHA256 | c79becd42f8c8c3862614d539fae767569d1671b167b26a4aa069de6e382816e |
| SHA512 | 0472751bf7fceb6aa5c9f98e8f14e00f131a5496c49d203d32993cf4d93649305cc1144f364c778c0f46d55444628d496d8ea24673a5552f1991cc8d09fc318c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 7deebab22447f685d3798aa463b78b09 |
| SHA1 | 1661c129ef5a6f21d055de00e096e445caf21629 |
| SHA256 | 1eb3de229fddd5b7b0a383968eb357fd86dcd6309be6cf4dc31f93bea071255e |
| SHA512 | 6b971e070fa930627c16effd116dbcb54993ed30f94b5c0a0303e21f2e3c61b318ec886c8db549415ebf4fbacc997c7608af6ec98afe2fde4fd238aa9438844a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 84822d838ea2581a4cf3dfbd33b9fdc9 |
| SHA1 | ed8962ac802e8a8ba3b67d88e25d4cc16477a612 |
| SHA256 | 7f6d70be818fc084998801b0bc3907d707737b35378c1af2ef4615c2d2066b9c |
| SHA512 | 6c8ab32fee3c938151613a8d31e894181af7c850ec1108d64a1d337f2c9036d93ade82432671a21af784f4cb4aadfc8afe60f4438d95a132c8ce1a38647de639 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe657c60.TMP
| MD5 | de5ffa27159ef9ea449540f37db9103a |
| SHA1 | e99e3012bc712079b5990929b88686717da40e05 |
| SHA256 | 7459489d1a16fb0157ca284c7e9b440c829d1050cbe919232285b99e12e1497a |
| SHA512 | 09401c1c9e20a830bb67c0956e64bf366b4accd817b89dab91e19e63c31ed5b1fb582aec1893c7f503ef54a85e6a0d3719eb14c97446ea163df39a1eb0620f48 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | 5716ace5ba4c878adb256a069719c72e |
| SHA1 | 13419425587c9db775b664b37f2c5b8e7e564241 |
| SHA256 | 246bc2a79dedef1266ba1db05c517cea36afdbd2840ce4252ab972a52e73d719 |
| SHA512 | 3d3d650e8a433af94249d5db6d408716dd16ad4230ce3cccd2d08735af70977ca92f2ca512a1ee455ca0b60cb4cf1b1493127d40e78dcc90be053eb9e01df3f6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | de63211ec0e8edd19488880da4790ff1 |
| SHA1 | b1bbee1f43498d038e15862308dc7c08b6e6f96e |
| SHA256 | f76eec55103127ca510e70f691c5f0db84a107db72115af1fb348c6a5c430181 |
| SHA512 | 7e4adaf6350e390560b157324d0a9d89931c4b01c8784deb8fea931bf07315434fcf66fd42696e5820c78b1358f002054c91c55e38abce59fb8360980a027311 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 31973b1c99070268df7ace9adccf5df2 |
| SHA1 | 63139c5a87e211cdf186f57cda05ed8fc82f0ffe |
| SHA256 | 8f16bbf4e6f2c39162258db05f52f6ba680a25804f29a070467855b988d70fbc |
| SHA512 | 83b785895adfc2928ff33769be0d50d9768d2d18be5d53dab45035a94852b43c0b3e67f25d51ba2dde39d0f516189aa6397e9ed606ef08fb0e6623d07182b92d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026
| MD5 | bda83e115d4a1d2610fe3966ad90b291 |
| SHA1 | e6061b6cd959a5a9ccc781790cf509228237eeab |
| SHA256 | 189bbdff5bf4ba979ea3dadec4bae9c228927ca776494a1cbef5cf9f29459019 |
| SHA512 | 56313f3f5c8c955e0c835d0b726f2672c27ab803206617c43a106a750d7b767a57699aa3e5aeba391eb473e7e4aef1a5812a6a8a581137e3c1604a3ee4cac173 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | 7527c88a1cde9231349b4875db20b00c |
| SHA1 | 4db67dad38a6d76cf1bb1dfec9365ce4106d1da9 |
| SHA256 | f91f13e1fdbebf46c57595f373399818556af6699671a8d8027cf3f080c88f00 |
| SHA512 | a8016781ee92a641f7a871a674127e1e09815b1b0d48e3772c4eac3b453e380ca797ad6fddecf39e2bcd32f2469e155ddff586135d381b9cb4340330ccadf32e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\58f01674-e3af-4984-8b6e-d6999fd5a06a\index
| MD5 | 54cb446f628b2ea4a5bce5769910512e |
| SHA1 | c27ca848427fe87f5cf4d0e0e3cd57151b0d820d |
| SHA256 | fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d |
| SHA512 | 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002a
| MD5 | 65da8d6932ad74d3b51694b5a28dd0bb |
| SHA1 | aa6e37cdacda153f499c299299a4dacf50c93765 |
| SHA256 | 309ec80a404d5ba8c9816e0932bff343c8e205fe36819908682289ed7c7ae482 |
| SHA512 | bfce7ba0e18dde7d6f833709e565f704701d7a51b14d7c11b06cdce0b057290a334219c9aa4f7ea098c097eb779a2ceca397a9ad1ede0784348f78c81fd55015 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002b
| MD5 | c42c08a99ce3c2f433c063b397a47f02 |
| SHA1 | dab8b138bf74bbbe13eada32a0adc30a1e7e6e36 |
| SHA256 | 7f443fd5569722f8b22d3b740737bc2d576ebe13e7ccf4ccbdb9452eb1d3b97b |
| SHA512 | 2f0fe5b1e51b60ea451f0aabb9c80818e2d2bfb46fa2851c41f49d2b069eaae26ba21de6233c2611d7dceb1394beb953acb574f97abb950291bc8a8dd78a1a96 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 76061382cc44fcdc6422da3473531a8b |
| SHA1 | 861a80db17d5df927234902cff9123e7577dd7ef |
| SHA256 | a2a16e22b396818207c828f1964d6195ce6b9e25b945b4b7fbe2977799435dfb |
| SHA512 | b39c9b6015655a20dbfffab0bfee4cc1f996e9f96c4f2805e772b7873914a8d359072ba32a3db3b1ea9c5984282a0e24e9d8bc73b6d2acbba325bdb2c3e8bf98 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | d1c78c76779da201d875e290f967f8d5 |
| SHA1 | ff932cac6421d2f72f8362155aacfc5f7d8787d5 |
| SHA256 | bcb1a1eb60983467272abcae7df286375653f36705eb031c52974947f9ac29d8 |
| SHA512 | 4cffa85cee15fa0fca4adc56a4b1126f6dd11731a584b70fca099e90e5669fceafd74e8fba7e7d198d52abe568256594b36cc1888ae82428005839779748314c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002
| MD5 | 0d89f546ebdd5c3eaa275ff1f898174a |
| SHA1 | 339ab928a1a5699b3b0c74087baa3ea08ecd59f5 |
| SHA256 | 939eb90252495d3af66d9ec34c799a5f1b0fc10422a150cf57fc0cd302865a3e |
| SHA512 | 26edc1659325b1c5cf6e3f3cd9a38cd696f67c4a7c2d91a5839e8dcbb64c4f8e9ce3222e0f69d860d088c4be01b69da676bdc4517de141f8b551774909c30690 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005
| MD5 | 1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5 |
| SHA1 | 6dd8803e59949c985d6a9df2f26c833041a5178c |
| SHA256 | af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725 |
| SHA512 | b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006
| MD5 | 226541550a51911c375216f718493f65 |
| SHA1 | f6e608468401f9384cabdef45ca19e2afacc84bd |
| SHA256 | caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5 |
| SHA512 | 2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 931d793e78464499f03dc08f7f90fb14 |
| SHA1 | 3c8a576da1b1a5be6eb97a0aae53bdb8ee7d04d3 |
| SHA256 | 79749d806407a214b9d1dda43f899fc05e8ffd8690f768353e3d4c25f6397de9 |
| SHA512 | 6bd1b4cdd7330b476bb1fa389355ca7580026e167f6e387ad7b6a373a5cf2c8364651f3b1f20f628d7abed239b9b7e26888314e3517ea2c63d258a5d3dfb552a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 9e8fd061c916d70c419e3ccedf9239e1 |
| SHA1 | 2c91db840f31bedb34d399aab16c524a5a22dd20 |
| SHA256 | 639eca1bfeaca063be7c6af44bd78894d1b53e01f383e6b284a89fa91974a29b |
| SHA512 | 5c31189ffdde8d27ed8691ecf9a8792345e1680e6a9c6bd70290fbf6d148ec10778cefa50ea7d8fcc934b8eff7d097046123ce41e15a2b7da38aa2a1a9147d48 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 7129167437c0ea6f0f6798f1b46c6005 |
| SHA1 | bf91f32108fe8093a4cbeb2ea8c1ac6177f60420 |
| SHA256 | 28cc7cbdeda51744be9247b39e78d2b058e3a582c1aa2a4ed5e0c6237f3be8a5 |
| SHA512 | a1d0f4601d8757637bdfc64c9e9c138f90910732ce13fdb329cb03ff546c4cec418cba4f0defc186a6cc010487659595f6c585781702dde2f007dcd903089d75 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | e415ab26ca255431173e6064109a9a83 |
| SHA1 | 6b1aad85dccdc9becc03e82744aa85a09be1384b |
| SHA256 | 20572405bd64d32917861d3638bb3b85f89e44bf852c5c0a33116251caa214d4 |
| SHA512 | 989cfa64f49e08c9a0f291b94b18c0a514ccfe9a456bf9dc350968cf3dcc977dc06bbba6c548d45bd50af171cd8f79135fdba7a0e586f85eb72fcadf104fa6b7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 51e282826015658499709682952036f1 |
| SHA1 | c7ac723fe1c8825552940b5455ac41efe7a587d2 |
| SHA256 | 89fb1f6036af80d1bb093607b80b6264fbe1b8772ee03c7e5fe37c74e97d1eba |
| SHA512 | fff312a955ba60095c2a0b46f7eb54a788f45717d557f9126907e47ecf02771e07437e2bd9e6345a664c60d0452cf35e43ccba224275db4c34cd275ee33d7269 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 91fcb73f58ead0ea0e95602bc49b0632 |
| SHA1 | 89704ec5be1d041809b833d1730b085746f921fc |
| SHA256 | d9e31ebc3a8c5fa424645718e5b2169d5e04ee8c80d52020b912bcdad0c27f89 |
| SHA512 | 99f8e756842257a6dc65d5332b0f44e3f3698a1879f6d44b39e2bcab0dbff2b8fa2b0cae2e68f7b517d0a77f751fab0c8ecb4c26c43d932e66b2194122ace82d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 529e90528b14bbb6f023b08016d7380f |
| SHA1 | f425983290f2956b31682ec9c575dbea3daca977 |
| SHA256 | 0b69017cc21e912a56052ec0d9a87c648df1b2cb1e42f2e6c52a70e016d7da55 |
| SHA512 | 381764db1f4e4eb4e1c0e29cddf4b552938b0f5b3425a547ef7dfa654fab2ffdabc377b90803b5c979cffcb09b7a3f43960ae7d9f843552508a87275bc949bbf |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 2198b2da981e55f187e21189283436c7 |
| SHA1 | 0e67cf49a820c87b0ce6a4e1266048fd7ed93ee1 |
| SHA256 | 96c993557f15389aa2bbd6866dd3594c34a41e6fe55de99c67d47ee0237941aa |
| SHA512 | 2e43f6356286c29c8d1d390f067a7255917946ca37ccd6442f70f6a386fb09e36d9e0de4324f74567d145d7e2906faa2256a08f087bcc126182079c265aaef1b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 70bd03c86c1ca63719b05e25e192da91 |
| SHA1 | 4fbd82e9f3fef89968adcf1e0ca2083bd1420adc |
| SHA256 | 182d1da5c1f44fd191b06ccd5388a6f472056bc9357d803e8ccf1e3637d8e373 |
| SHA512 | ac01f71d15007935372309172560ae7c9cc9455c24b0b654f64b82b45de2c786d15d73b5c867094b85afbc367359690db456c990d7f9965f5cfc30331ea981d4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | b4ab126ba3417cecced596878021efb4 |
| SHA1 | 2e905968469b9b63e2167f534c2febc33b54cc3f |
| SHA256 | 8b64e2302f7ce039a791f922f2bdb5e5305956b7ee94be1e005a29c89f8eb880 |
| SHA512 | c2920438af2fc2a80442aa91577ca0d678222078785590f02341336fdfa30476e1dd24e17eea6239b349797a473bc6b9bff83b131c7f8ca6320982e5ddb1685b |
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-11 19:31
Reported
2025-01-11 19:46
Platform
win11-20241007-en
Max time kernel
899s
Max time network
881s
Command Line
Signatures
Orcus
Orcus family
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Remcos
Remcos family
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ChromeUpdater = "\"C:\\ProgramData\\GoogleDat\\GoogleUpdate.exe\"" | C:\ProgramData\GoogleDat\GoogleUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ChromeUpdater = "\"C:\\ProgramData\\GoogleDat\\GoogleUpdate.exe\"" | C:\Users\Admin\AppData\Local\Temp\32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\ProgramData\GoogleDat\GoogleUpdate.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\GoogleDat\GoogleUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dwn.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\GoogleChromeUpt\Updater.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\GoogleChromeUpt\Updater.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ChromeDEV.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ChromeDEV.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\GoogleChromeUpt\Updater.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\GoogleChromeUpt\Updater.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeUpdater = "\"C:\\ProgramData\\GoogleDat\\GoogleUpdate.exe\"" | C:\Users\Admin\AppData\Local\Temp\32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ChromeUpdater = "\"C:\\ProgramData\\GoogleDat\\GoogleUpdate.exe\"" | C:\Users\Admin\AppData\Local\Temp\32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeUpdater = "\"C:\\ProgramData\\GoogleDat\\GoogleUpdate.exe\"" | C:\ProgramData\GoogleDat\GoogleUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ChromeUpdater = "\"C:\\ProgramData\\GoogleDat\\GoogleUpdate.exe\"" | C:\ProgramData\GoogleDat\GoogleUpdate.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeStarter = "\"C:\\Program Files (x86)\\GoogleChromeUpt\\Updater.exe\"" | C:\Program Files (x86)\GoogleChromeUpt\Updater.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\WindowsInput.exe | C:\Users\Admin\AppData\Local\Temp\dwn.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsInput.exe.config | C:\Users\Admin\AppData\Local\Temp\dwn.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsInput.InstallState | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5092 set thread context of 3696 | N/A | C:\ProgramData\GoogleDat\GoogleUpdate.exe | C:\Windows\SysWOW64\svchost.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\GoogleChromeUpt\Updater.exe | C:\Users\Admin\AppData\Local\Temp\dwn.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GoogleChromeUpt\Updater.exe | C:\Users\Admin\AppData\Local\Temp\dwn.exe | N/A |
| File created | C:\Program Files (x86)\GoogleChromeUpt\Updater.exe.config | C:\Users\Admin\AppData\Local\Temp\dwn.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\ChromeDEV.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\ChromeDEV.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\GoogleDat\GoogleUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\GoogleChromeUpt\Updater.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dwn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\GoogleChromeUpt\Updater.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\GoogleChromeUpt\Updater.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\GoogleChromeUpt\Updater.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\GoogleChromeUpt\Updater.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\GoogleDat\GoogleUpdate.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\GoogleChromeUpt\Updater.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\ChromeDEV.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\ChromeDEV.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\GoogleDat\GoogleUpdate.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\GoogleChromeUpt\Updater.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.exe
"C:\Users\Admin\AppData\Local\Temp\32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153.exe"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\GoogleDat\GoogleUpdate.exe"
C:\ProgramData\GoogleDat\GoogleUpdate.exe
C:\ProgramData\GoogleDat\GoogleUpdate.exe
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Users\Admin\AppData\Local\Temp\dwn.exe
"C:\Users\Admin\AppData\Local\Temp\dwn.exe"
C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe" --install
C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
C:\Program Files (x86)\GoogleChromeUpt\Updater.exe
"C:\Program Files (x86)\GoogleChromeUpt\Updater.exe"
C:\Program Files (x86)\GoogleChromeUpt\Updater.exe
"C:\Program Files (x86)\GoogleChromeUpt\Updater.exe"
C:\Users\Admin\AppData\Roaming\ChromeDEV.exe
"C:\Users\Admin\AppData\Roaming\ChromeDEV.exe" /launchSelfAndExit "C:\Program Files (x86)\GoogleChromeUpt\Updater.exe" 2000
C:\Users\Admin\AppData\Roaming\ChromeDEV.exe
"C:\Users\Admin\AppData\Roaming\ChromeDEV.exe" /watchProcess "C:\Program Files (x86)\GoogleChromeUpt\Updater.exe" 2000
C:\Program Files (x86)\GoogleChromeUpt\Updater.exe
"C:\Program Files (x86)\GoogleChromeUpt\Updater.exe"
C:\Program Files (x86)\GoogleChromeUpt\Updater.exe
"C:\Program Files (x86)\GoogleChromeUpt\Updater.exe"
Network
| Country | Destination | Domain | Proto |
| CA | 198.50.242.157:443 | tcp | |
| CA | 198.50.242.157:443 | tcp | |
| CA | 198.50.242.157:443 | tcp | |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| CA | 198.50.242.157:3846 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\install.vbs
| MD5 | bb683902f4d897285b9eb79d71a86df6 |
| SHA1 | 6ca60977902f02b72afd24caa65be77d06692b09 |
| SHA256 | 1829d2480ab6bbfe942aadf34cb74ccd651427d10a9b51b222923fb921ebfc70 |
| SHA512 | edbb9b416ad84ce216ed18db11cbed0b46a079b7b2463e942b809a8a2fe5540eb1101114c5d0944da383c02617dec1017df1235949caf24eb515550f456eaeda |
C:\ProgramData\GoogleDat\GoogleUpdate.exe
| MD5 | 991e707e324731f86a43900e34070808 |
| SHA1 | 5b5afd8cecb865de3341510f38d217f47490eead |
| SHA256 | 32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153 |
| SHA512 | 07411dffbc6beff08a901afa8db3af4bc7d214407f7b20a8570e16b3900f512ad8ee2d04e31bb9d870585b9825e9102078f6c40eb6df292f09fffe57eea37f79 |
memory/3696-8-0x0000000000EC0000-0x0000000000F3F000-memory.dmp
memory/3696-9-0x0000000000EC0000-0x0000000000F3F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dwn.exe
| MD5 | 233df6b3803532e93dc307f6739dbcfc |
| SHA1 | 33d32253477f35e01763207b59d60fdaa3f24581 |
| SHA256 | 1b0f1c3f410211b515d0f61bb0c9fcdbf71287fe73a0feb2ba27a9e51ffdee02 |
| SHA512 | 0d1bd2ab3a37bd3840121001097de98ec8680e79bbc3edcaf4bd77e0b115b5e9fb6945f5897172c554a44ffdbfc8af4afa9914ec11c8259322e927a8c49ef345 |
memory/3476-22-0x0000000000E40000-0x0000000000F2C000-memory.dmp
memory/3476-23-0x00000000033E0000-0x00000000033EE000-memory.dmp
memory/3476-24-0x00000000059B0000-0x0000000005A0C000-memory.dmp
memory/3476-25-0x0000000005FE0000-0x0000000006586000-memory.dmp
memory/3476-26-0x0000000005B00000-0x0000000005B92000-memory.dmp
memory/3476-27-0x0000000005AE0000-0x0000000005AF2000-memory.dmp
memory/3476-28-0x0000000005AF0000-0x0000000005AF8000-memory.dmp
memory/3476-29-0x0000000005F60000-0x0000000005F82000-memory.dmp
C:\Windows\SysWOW64\WindowsInput.exe
| MD5 | e6fcf516d8ed8d0d4427f86e08d0d435 |
| SHA1 | c7691731583ab7890086635cb7f3e4c22ca5e409 |
| SHA256 | 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337 |
| SHA512 | c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e |
C:\Windows\SysWOW64\WindowsInput.exe.config
| MD5 | a2b76cea3a59fa9af5ea21ff68139c98 |
| SHA1 | 35d76475e6a54c168f536e30206578babff58274 |
| SHA256 | f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839 |
| SHA512 | b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad |
memory/2092-43-0x0000000000E60000-0x0000000000E6C000-memory.dmp
memory/2092-44-0x00000000016B0000-0x00000000016C2000-memory.dmp
memory/2092-45-0x0000000003000000-0x000000000303C000-memory.dmp
memory/1104-50-0x000000001A330000-0x000000001A43A000-memory.dmp
memory/2000-66-0x0000000005860000-0x0000000005872000-memory.dmp
memory/2000-67-0x00000000063E0000-0x000000000642E000-memory.dmp
memory/2000-69-0x00000000065C0000-0x00000000065D8000-memory.dmp
memory/2000-70-0x0000000006980000-0x0000000006B42000-memory.dmp
memory/2000-71-0x0000000006630000-0x0000000006640000-memory.dmp
memory/2000-72-0x00000000067E0000-0x00000000067EA000-memory.dmp
C:\Users\Admin\AppData\Roaming\ChromeDEV.exe
| MD5 | 913967b216326e36a08010fb70f9dba3 |
| SHA1 | 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf |
| SHA256 | 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a |
| SHA512 | c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33 |
memory/8-86-0x0000000000CC0000-0x0000000000CC8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ChromeDEV.exe.log
| MD5 | bb27934be8860266d478c13f2d65f45e |
| SHA1 | a69a0e171864dcac9ade1b04fc0313e6b4024ccb |
| SHA256 | 85ad0d9909461517acf2e24ff116ca350e9b7000b4eefb23aa3647423c9745b4 |
| SHA512 | 87dd77feac509a25b30c76c119752cc25020cca9c53276c2082aef2a8c75670ef67e1e70024a63d44ae442b64f4bc464aee6691e80c525376bb7421929cfa3bb |
memory/2000-94-0x0000000007AF0000-0x0000000007B56000-memory.dmp
memory/2000-95-0x0000000008180000-0x0000000008798000-memory.dmp
memory/2000-96-0x0000000007BC0000-0x0000000007BD2000-memory.dmp
memory/2000-98-0x0000000007C60000-0x0000000007CAC000-memory.dmp
memory/2000-97-0x0000000007C20000-0x0000000007C5C000-memory.dmp
memory/2000-99-0x0000000007DF0000-0x0000000007EFA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Updater.exe.log
| MD5 | 23095077e59941121be408de05f8843b |
| SHA1 | 6a85a4fb6a47e96b4c65f8849647ff486273b513 |
| SHA256 | 49cc85a6bad5faf998eae8f1156e4a3cdd0273ff30a7828f5545689eb22e3fe5 |
| SHA512 | 05644cd4aa2128e4c40993e4033ae3102705ee27c157d8376180c81e58b61c2801ca8deed6a256c79bc409e40f9ab5c66e2b2492f6c60871fb575eb6cce73211 |