Analysis
-
max time kernel
290s -
max time network
292s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01-04-2023 16:19
Static task
static1
Behavioral task
behavioral1
Sample
sample.js
Resource
win10v2004-20230220-en
Errors
General
-
Target
sample.js
-
Size
13KB
-
MD5
0a1d0cb632a7f7cde057b8c11c1248a2
-
SHA1
651caf0aa2637d0b56411f1679eb68f43a7b00b2
-
SHA256
9ea61336dc345e8e68c562f94a385c3831a0fe621d242f24abfbe34d28e16c57
-
SHA512
f911550898a737cd17c11e0056660ba83b4a577baaeba85c5fea5f5119cb0cd8226f6176b0afafe163a57223c60b5767aed10211f6fde22eeb42aaa0f535524a
-
SSDEEP
384:rN+0ElzeVoOsKlElKeGM0U8HhhbNAq28rtGk:rc0ElCVoOsKCI1MeBhb60rr
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
NoEscape.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe" NoEscape.exe -
Processes:
NoEscape.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NoEscape.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
NoEscape.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" NoEscape.exe -
Executes dropped EXE 2 IoCs
Processes:
PCHealthCheck.exePCHealthCheck.exepid process 5200 PCHealthCheck.exe 2224 PCHealthCheck.exe -
Loads dropped DLL 15 IoCs
Processes:
MsiExec.exeMsiExec.exeMsiExec.exePCHealthCheck.exePCHealthCheck.exevc_redist.x86.exepid process 5812 MsiExec.exe 4304 MsiExec.exe 5812 MsiExec.exe 4800 MsiExec.exe 5200 PCHealthCheck.exe 5200 PCHealthCheck.exe 5200 PCHealthCheck.exe 5200 PCHealthCheck.exe 5200 PCHealthCheck.exe 2224 PCHealthCheck.exe 2224 PCHealthCheck.exe 2224 PCHealthCheck.exe 2224 PCHealthCheck.exe 2224 PCHealthCheck.exe 1488 vc_redist.x86.exe -
Drops desktop.ini file(s) 3 IoCs
Processes:
NoEscape.exemsiexec.exedescription ioc process File opened for modification C:\Users\Admin\Desktop\desktop.ini NoEscape.exe File opened for modification C:\Users\Public\Desktop\desktop.ini NoEscape.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini msiexec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Q: msiexec.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
NoEscape.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png" NoEscape.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230401181947.pma setup.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\cc6bc7f4-327c-4ea3-9527-a1a683b88ba3.tmp setup.exe -
Drops file in Windows directory 11 IoCs
Processes:
msiexec.exeNoEscape.exedescription ioc process File opened for modification C:\Windows\Installer\MSIF6F3.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF87A.tmp msiexec.exe File opened for modification C:\Windows\winnt32.exe NoEscape.exe File created C:\Windows\Installer\e57f3c6.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\e57f3c8.msi msiexec.exe File created C:\Windows\winnt32.exe NoEscape.exe File opened for modification C:\Windows\Installer\e57f3c6.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{804A0628-543B-4984-896C-F58BF6A54832} msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000009865abc95f2d4b980000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800009865abc90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809009865abc9000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009865abc900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009865abc900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
WINWORD.EXEmsedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "87" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe -
Modifies registry class 10 IoCs
Processes:
msiexec.exemsedge.exemsedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\ms-pchealthcheck\shell\open msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2275444769-3691835758-4097679484-1000\{46503857-96B5-4C8B-80E1-0D5F3858CE51} msedge.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\ms-pchealthcheck msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\ms-pchealthcheck\URL Protocol msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\ms-pchealthcheck\ = "URL:ms-pchealthcheck" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\ms-pchealthcheck\shell msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\ms-pchealthcheck\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\PCHealthCheck\\PCHealthCheck.exe\"" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\ms-pchealthcheck\shell\open\command msiexec.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 548120.crdownload:SmartScreen msedge.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 5928 WINWORD.EXE 5928 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsiexec.exemsedge.exemsedge.exepid process 4360 msedge.exe 4360 msedge.exe 3256 msedge.exe 3256 msedge.exe 5076 identity_helper.exe 5076 identity_helper.exe 2424 msedge.exe 2424 msedge.exe 5748 msedge.exe 5748 msedge.exe 4324 msiexec.exe 4324 msiexec.exe 5996 msedge.exe 5996 msedge.exe 5996 msedge.exe 5996 msedge.exe 1544 msedge.exe 1544 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 32 IoCs
Processes:
msedge.exepid process 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 5280 msiexec.exe Token: SeIncreaseQuotaPrivilege 5280 msiexec.exe Token: SeSecurityPrivilege 4324 msiexec.exe Token: SeCreateTokenPrivilege 5280 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5280 msiexec.exe Token: SeLockMemoryPrivilege 5280 msiexec.exe Token: SeIncreaseQuotaPrivilege 5280 msiexec.exe Token: SeMachineAccountPrivilege 5280 msiexec.exe Token: SeTcbPrivilege 5280 msiexec.exe Token: SeSecurityPrivilege 5280 msiexec.exe Token: SeTakeOwnershipPrivilege 5280 msiexec.exe Token: SeLoadDriverPrivilege 5280 msiexec.exe Token: SeSystemProfilePrivilege 5280 msiexec.exe Token: SeSystemtimePrivilege 5280 msiexec.exe Token: SeProfSingleProcessPrivilege 5280 msiexec.exe Token: SeIncBasePriorityPrivilege 5280 msiexec.exe Token: SeCreatePagefilePrivilege 5280 msiexec.exe Token: SeCreatePermanentPrivilege 5280 msiexec.exe Token: SeBackupPrivilege 5280 msiexec.exe Token: SeRestorePrivilege 5280 msiexec.exe Token: SeShutdownPrivilege 5280 msiexec.exe Token: SeDebugPrivilege 5280 msiexec.exe Token: SeAuditPrivilege 5280 msiexec.exe Token: SeSystemEnvironmentPrivilege 5280 msiexec.exe Token: SeChangeNotifyPrivilege 5280 msiexec.exe Token: SeRemoteShutdownPrivilege 5280 msiexec.exe Token: SeUndockPrivilege 5280 msiexec.exe Token: SeSyncAgentPrivilege 5280 msiexec.exe Token: SeEnableDelegationPrivilege 5280 msiexec.exe Token: SeManageVolumePrivilege 5280 msiexec.exe Token: SeImpersonatePrivilege 5280 msiexec.exe Token: SeCreateGlobalPrivilege 5280 msiexec.exe Token: SeCreateTokenPrivilege 5280 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5280 msiexec.exe Token: SeLockMemoryPrivilege 5280 msiexec.exe Token: SeIncreaseQuotaPrivilege 5280 msiexec.exe Token: SeMachineAccountPrivilege 5280 msiexec.exe Token: SeTcbPrivilege 5280 msiexec.exe Token: SeSecurityPrivilege 5280 msiexec.exe Token: SeTakeOwnershipPrivilege 5280 msiexec.exe Token: SeLoadDriverPrivilege 5280 msiexec.exe Token: SeSystemProfilePrivilege 5280 msiexec.exe Token: SeSystemtimePrivilege 5280 msiexec.exe Token: SeProfSingleProcessPrivilege 5280 msiexec.exe Token: SeIncBasePriorityPrivilege 5280 msiexec.exe Token: SeCreatePagefilePrivilege 5280 msiexec.exe Token: SeCreatePermanentPrivilege 5280 msiexec.exe Token: SeBackupPrivilege 5280 msiexec.exe Token: SeRestorePrivilege 5280 msiexec.exe Token: SeShutdownPrivilege 5280 msiexec.exe Token: SeDebugPrivilege 5280 msiexec.exe Token: SeAuditPrivilege 5280 msiexec.exe Token: SeSystemEnvironmentPrivilege 5280 msiexec.exe Token: SeChangeNotifyPrivilege 5280 msiexec.exe Token: SeRemoteShutdownPrivilege 5280 msiexec.exe Token: SeUndockPrivilege 5280 msiexec.exe Token: SeSyncAgentPrivilege 5280 msiexec.exe Token: SeEnableDelegationPrivilege 5280 msiexec.exe Token: SeManageVolumePrivilege 5280 msiexec.exe Token: SeImpersonatePrivilege 5280 msiexec.exe Token: SeCreateGlobalPrivilege 5280 msiexec.exe Token: SeCreateTokenPrivilege 5280 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5280 msiexec.exe Token: SeLockMemoryPrivilege 5280 msiexec.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
Processes:
msedge.exemsiexec.exepid process 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 5280 msiexec.exe 5280 msiexec.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
PCHealthCheck.exePCHealthCheck.exeWINWORD.EXELogonUI.exepid process 5200 PCHealthCheck.exe 5200 PCHealthCheck.exe 2224 PCHealthCheck.exe 2224 PCHealthCheck.exe 5928 WINWORD.EXE 5928 WINWORD.EXE 5928 WINWORD.EXE 5928 WINWORD.EXE 5928 WINWORD.EXE 5928 WINWORD.EXE 5928 WINWORD.EXE 3864 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3256 wrote to memory of 4920 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4920 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4332 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4332 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4332 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4332 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4332 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4332 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4332 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4332 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4332 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4332 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4332 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4332 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4332 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4332 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4332 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4332 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4332 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4332 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4332 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4332 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4332 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4332 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4332 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4332 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4332 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4332 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4332 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4332 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4332 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4332 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4332 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4332 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4332 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4332 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4332 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4332 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4332 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4332 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4332 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4332 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4360 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4360 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4716 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4716 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4716 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4716 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4716 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4716 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4716 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4716 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4716 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4716 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4716 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4716 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4716 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4716 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4716 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4716 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4716 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4716 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4716 3256 msedge.exe msedge.exe PID 3256 wrote to memory of 4716 3256 msedge.exe msedge.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\sample.js1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\WriteGet.mht1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffef82946f8,0x7ffef8294708,0x7ffef82947182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,17795971554947107172,12205071244294692806,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,17795971554947107172,12205071244294692806,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,17795971554947107172,12205071244294692806,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,17795971554947107172,12205071244294692806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,17795971554947107172,12205071244294692806,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,17795971554947107172,12205071244294692806,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4332 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x254,0x258,0x25c,0x230,0x114,0x7ff7267d5460,0x7ff7267d5470,0x7ff7267d54803⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,17795971554947107172,12205071244294692806,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4332 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,17795971554947107172,12205071244294692806,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,17795971554947107172,12205071244294692806,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,17795971554947107172,12205071244294692806,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,17795971554947107172,12205071244294692806,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,17795971554947107172,12205071244294692806,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,17795971554947107172,12205071244294692806,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,17795971554947107172,12205071244294692806,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,17795971554947107172,12205071244294692806,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,17795971554947107172,12205071244294692806,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,17795971554947107172,12205071244294692806,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3776 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2140,17795971554947107172,12205071244294692806,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6292 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2140,17795971554947107172,12205071244294692806,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6280 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,17795971554947107172,12205071244294692806,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,17795971554947107172,12205071244294692806,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,17795971554947107172,12205071244294692806,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,17795971554947107172,12205071244294692806,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6388 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,17795971554947107172,12205071244294692806,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6284 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,17795971554947107172,12205071244294692806,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6764 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,17795971554947107172,12205071244294692806,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,17795971554947107172,12205071244294692806,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6764 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,17795971554947107172,12205071244294692806,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7480 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,17795971554947107172,12205071244294692806,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7484 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,17795971554947107172,12205071244294692806,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7716 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\WindowsPCHealthCheckSetup.msi"2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,17795971554947107172,12205071244294692806,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1404 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,17795971554947107172,12205071244294692806,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,17795971554947107172,12205071244294692806,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,17795971554947107172,12205071244294692806,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,17795971554947107172,12205071244294692806,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,17795971554947107172,12205071244294692806,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,17795971554947107172,12205071244294692806,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,17795971554947107172,12205071244294692806,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1116 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,17795971554947107172,12205071244294692806,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2072 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,17795971554947107172,12205071244294692806,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,17795971554947107172,12205071244294692806,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,17795971554947107172,12205071244294692806,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,17795971554947107172,12205071244294692806,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5832 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x504 0x4f41⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 1E1EAF90C66141D94A890B09D4EDDFFB C2⤵
- Loads dropped DLL
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 316BA77ACE4A6BBD7E8FE8389E47006C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 054A1CBE83E46806F9604F5848542346 C2⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\PCHealthCheck\PCHealthCheck.exe"C:\Users\Admin\AppData\Local\PCHealthCheck\PCHealthCheck.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
-
C:\Users\Admin\AppData\Local\PCHealthCheck\PCHealthCheck.exe"C:\Users\Admin\AppData\Local\PCHealthCheck\PCHealthCheck.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\These.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe"C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe"1⤵
-
C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe"C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\vc_redist.x86.exe" -burn.unelevated BurnPipe.{19315F13-5B06-42BC-AAA9-F467D3DCD916} {3B188C73-6625-4708-96CE-69868661C90B} 20362⤵
- Loads dropped DLL
-
C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"C:\Users\Admin\Downloads\NoEscape.exe\NoEscape.exe\NoEscape.exe-Latest Version\NoEscape.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Windows directory
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39bc055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e57f3c7.rbsFilesize
53KB
MD58d569c3002a40470a0620281e3ddea4a
SHA1ef945df177112bb1d8df1731269891d21ba23de4
SHA256f3aa49e2c78079736b2b8e104d8fb8742a4c0fcb41a250a544b0947a3c23b426
SHA512e8ab498420c12e7287740471743df17d09628d3a36cb6dda557b1e2383e93e1b8dfea7952eaacffb41bb5b73cd9b1bce48cc65bc3a5596689f93f90b177dd88f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD578c7656527762ed2977adf983a6f4766
SHA121a66d2eefcb059371f4972694057e4b1f827ce6
SHA256e1000099751602ae1adcec6f1c74e1d65f472936817b45239dfed4b043984296
SHA5120a8e58ae95163b3cdf8e81b5085887761e73cb7c836a1a6a972e837fb3df69b2ac70cfd6311d06d40656344ec35eb48e512f007561480f0345486ac2b329be0b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5099b4ba2787e99b696fc61528100f83f
SHA106e1f8b7391e1d548e49a1022f6ce6e7aa61f292
SHA256cdb1db488e260ed750edfe1c145850b57ee8ab819d75237a167e673116a33ee8
SHA5124309375e10785564ceb03e0127ced414e366a5b833f16a60d796471d871b479e4c044db5268902d9dfd14715ca577cb26042bab8f7b0f31fe8abf33947feb9d1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\583e4060-918b-4f2f-b105-d651a21f9940.tmpFilesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002Filesize
67KB
MD5a69d5a892093579ba2eb14e030cb887b
SHA11138a13f8c61e87ffa9f611345fbe1c57d836725
SHA2567076781310ea6ad20afb3e8d4089aa877eada0cf19684b44a615d779c1427f65
SHA51285a8327fc6ac3f7eef2a96454e3dd7a284c99fabf8f6d814382714d3ed8ea21f7f7b6d599953fce74989a64a4c9875db844bca0710b333646be1f783edf7d6dd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003Filesize
62KB
MD5c75e16ebee81303c7d361cff076c69a7
SHA1ed658ee2e5f92380ec1cddb47d9294d26980ce69
SHA256da5719acdf85d2d237fa2afe4cee6fb0c81e42dd8f4d5e85d674932d79a23e00
SHA512dcde0b218d0288af970d1a2a84ea3f4d203a7148fcb328ce0b6b72fdf49e7f39bfa61242e4a5ebe884daec18387be8582f59157b985265e4ba3fca78721ca381
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004Filesize
38KB
MD5e4c780a544249a7967b82f07268ef432
SHA164b38d103f06b8de4241c62835f67b28a96d286c
SHA2564d2dc675ba41d56f2aa6cc1286f3f127590c9748f7b4e0bf4c79b0b4bd620a9a
SHA51274b9135f09dffd7a081889235d2f4c7a343291a4c4458ac69754cdd5790b455b9b98a128561d516202549e83671de13cc4e4b9cfb3ff195dc3d23b42885edf49
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012Filesize
18KB
MD5d98f6933949ebc124cc652c76b4523eb
SHA1b5cb19f3a4924d02e67b3a41c6474a741a6a6f73
SHA2569e3f1271c142e7da1cde822650f2c087db51c39a38db21cbfbad503e882116d5
SHA512b6eb511bbd0a32ecaed2c24fd4b9638b5b81f322dbaed7b48647ab3e8c2b1c06e23c12ad10acb24da0cf18843104395e14bafc1cdc4f8af1d104fcce3cbdb638
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
48B
MD566f3470fc41ec462c598636e4cb7b5ad
SHA12a37c35b5414f80076f74caaef561ad3c14d9757
SHA2569171825d41d6fa044d092056c14dc2518aa7fb726e2f9fb4470362972bf09054
SHA51236a0527ff99d0f24b13abd55a77f474c4bef8de25b25df4df88ac8bac59f3baf7b04223aeceed1fe74313009b633495f818aceb765ebcdd3d9f74fd9dca1714b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
3KB
MD5acaf0abf5b14b8d1e4bda8c242882b09
SHA116496319421f4ea2d19eb2055a1f0c4e3e79aa8d
SHA25675c192f5ef28ad9ff1a569369ba05840a99adf721a7042d270906400e2bdcb10
SHA512bcc3d52178e6e49949f1c2de84933a20a94c31387cfbf9b26f28b6158f4125b45d90cd7bded90385879617d9d16dc62bf14cfbc2b57aaf371b50f2c41e608d83
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD5d9202f15596eb34f4347f8c62bb82c54
SHA1f75f11ea305463ac9b240ae1e9895d7a57ecd5c2
SHA256374ed2d7717ff32656791d9930970c4766d6cf01dccd9881b4647de56efa7531
SHA51213bd4d67711ec4be605a86576637650a0a694dddb13153e1418955da730975621ef7d02dc6132812c3119d5b22cde7b3294f30ccd5496e62be8eaa1c53bb6375
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.microsoft.com_0.indexeddb.leveldb\MANIFEST-000001Filesize
23B
MD53fd11ff447c1ee23538dc4d9724427a3
SHA11335e6f71cc4e3cf7025233523b4760f8893e9c9
SHA256720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed
SHA51210a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnkFilesize
2KB
MD59ddf1e6624be696e9b37d9f08fb8e935
SHA1c5d7ccfcd402fcb6670f6372b648b358796ad266
SHA256a4e407d7ccf2a5374a21db42b4521c6e55f3542dfa63461750b116d208a423d1
SHA51210fa28e06793f39abab0e172b5e3b94c5600b2d86ce6dd78ef0de2cb42aa1b6c397675c309bc9ebba282187123d0bed401ff56be6bc01113a0b62219375c690d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
3KB
MD5c6fc8f8efb49657739daa3f467f2c1d1
SHA1058064eae724e01efad27a9f4862ac8f5079915d
SHA256c9c260b2fe4ffa99c1ca7bea6b92ed4ee031d65f109fca2bd63689abd545f5c8
SHA5125e0b2b47529f384ae730b0aaa7008ad5cc615fc0744ce5d28ba4f4ffa9ddea7e608b0e8f6abdb7e2e571f71a682692754ac5b7c8626f4a6f2e5e6f2fee1696ff
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
2KB
MD5b40f0be15ff58e9af6e4c069a9f10307
SHA17015d28dcaa7d0262b5fd462d1d98658cf4d3367
SHA2562d34cca246c2d17ac3883bf198859f0b4cb09ef3fc7ea43bdf95a9c0fe9ded25
SHA51253468ce44908a32e85f60c153f2cbfce2e437805f85190852dbf797c6e6ad1b5c5fc9438a8071e293b6b8b41399fdcbeec37cd3fae41822b256caf4962264fdd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
9KB
MD58f9071cf0ee5d2f66895f893ab730b08
SHA1ca5804d5f9f81011d2695b8dfe4fd3e21e0d90b5
SHA25698aa56ae3755ee848b1444148c4abbfd2f7e2c8367d377be7b12d5d50b3facff
SHA51286099d434ddc8a138618d48a161e3d02fc2df894113949ced501f5e7c4856cde6c6bb6653aa655475ea94bdf15e17560283dee67fac411095473146357103a58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5a7a3ff3a5d182bff1bad7b47cc4413ab
SHA111b2c954609cf463d36c36dd72845a4c8e8dcc9b
SHA2560ddfc13cf3c4c5b7826f1143e76451b88985c484e1fd9fa971d6ea94ea93f041
SHA512f7c203ae7013145dd5ea5115985a9d771339b31a7c3a7fd2dd41ce1fa2fba4c9d213c562c27e9241aba530bc671738adb7edb7b8f3b843b1424df78a0355d82a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
8KB
MD5b58ecd38b4391a26a96b751ae9ed5fbc
SHA1d4abf485e6cca8a81e1d91cd86f23bd28005a310
SHA2569a68fdc2bbb31a56fd21d638f2309a6b9086ceadbad6ebefc4ca087304110b4a
SHA512cb96dc71bcb2302b2d375144709a90031dc45e56c295a70dc726469cb61a782fb3b9963daba4df9305a9dac2b54df32f3d4b4cbf21142abdef16cffdc1031e9e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
8KB
MD55965bb5da426c3ca478345d14470d35c
SHA1185919a99a8bde14c8a1c925c97b9cb9dd3ffb06
SHA2565a325b8593405046981a8734a9b007b643448d1d2fc1890d7ecefe7bf348ccef
SHA512d4e89395873b5297736d4cb846d09d4ed589f10c650750a0353fcfb79b94f24612aa97c92d4c89ff55f9af2a8ea1d0dbbda44751dc549ba706494921092af517
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
9KB
MD535c2dffef4132448d05524d79bfd4760
SHA169854dd720a34027c1df6f99217c02a6775c847b
SHA256383936cab97c589e3010a78f155cc1f17bf32ba01d700098a2212b3f74b37103
SHA512f9769de0ec8e715e3771fe560615e071684bde091fee91760e3df0b252b92c2d65048a625da79c9754e1b75d4f5f351e2ce0e2cce63310735bb05020d13be197
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
9KB
MD52bd0cec4d7a1aa92b960caf51cba5a20
SHA112edd63c89fc531da2656114a78f9d6e640f3eff
SHA2565a12cab4abed8a6e880a9b2b231da9b0cab0e1cd28d47605b9c1f2d00545ea40
SHA5125b812f10b5fd661b12b99157cf3a52da99ffbd483a65cbf251eef7e2c85cd7ce24a38c9d02fbe216cebf6e4537309d9dec4b14d4c4add242aa5d2d1eed079edb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
4KB
MD5867ff86d4941748d807a047d62cb09cf
SHA13ea62a8351e60cb6bde832ca9b27eb60b36b4407
SHA25644f94115ae406751680df023bae5f2a71a71441bb720cac085875e8a62123fee
SHA5128cfd61ad3435620ae440cbde2de6bfd87fd3b9b7d55adb506e203355cfb8240b65506a63fe22e470d225e94a855026e7160492ab80c5eb7f03a5c09231e2cde9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5a393820a4f3761d3a2bbe310afaa5887
SHA1e14eb3022842b014a513813a74839f7f24a2c367
SHA256023825cd3bfc3287e157f562815ce23dc150039ed0c67a44aad1917f15003ebd
SHA51209eab3c8ed1b18533fe9c719abd1689b6fc5faf62de033412b11a1baf63317164bc21e8343f293c921cfab194b199d4a57edfd018d0a1b75d83c6e7cce9f50bf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
8KB
MD514fb2a6da15714c9ad0cfc4fb1314234
SHA11540a26b4d9ac0c07e9c7c2ff80505928bbc0685
SHA256f6e7886b2b6c91aef198166ea3e3fcee865f525ee8949e41ef225b0683eca0ee
SHA512c13af95e2bb5b1025aa503d919a405cec19026d95480990d79df68eeb612d8f77cd5008bd54f57a05336500f992262e38eb50d339a2d2763c4995f5aeae1602f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD502ee7addc9e8a2d07af55556ebf0ff5c
SHA1020161bb64ecb7c6e6886ccc055908984dc651d8
SHA256552d3ed359b7a52278ce621674d16428d8a7969f6cd5663df18e240cce66aadc
SHA512567989543c3848a0c3276d96b96ca761f750e4b71fb74f36d809f590ffe16a72fd5ece251737a8b1ffe65f0051e211bd7ad19d2b8b0b7ca1b7ffc86dd2a52883
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
3KB
MD51b96312a0e0aa4be425a1187b8aeaa50
SHA1c9812d617bde8abe8d39f58cfcc0b95bd6d3f2f2
SHA2565ec023f1ebfa66a9859ae5191d12451d9b72b56c3cf6aff90026e940539a8561
SHA512f9aae00f327cc8c0979686c108ea760990a51fe265d644fe9fb8507cfe50f2dbf1c2b57e1035d114af1fc517cf05b7088c2239f322a65e3d92b4f9082b7c774a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
3KB
MD536d22129ef5dd55cdc63776528d04674
SHA1b55e04c69d31bba2f235a8c09164a563e492cac2
SHA2566c1c9a5cef2650336114808a486a954201aec816d5b891fba024a145c6e05722
SHA512f3ec757ea84dc1fe2c910d9d5e83458e1babdafee15ef3140c2e1bf51857da67f11dce313828a4816060b14f94b1d5292e04eae525ceb8ce45a6e3fe020457a0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
3KB
MD53b34a74c9a8936918e4bffa5cf879dfb
SHA1e937223fb2082fa471287bf4bab66ec3a28afc60
SHA256cd31f9e0e0572c0026fd66a89869bb77f55fdbc64bde34b61ffa2d87fa115ffe
SHA51274ce46f4ac5605d3fba8ee39930847b4229deb93c094bc8a4e8adf52a06b977b463d7dab33c4fa29f2ba5889ec314efdff0777d0a89ec47c1dea3850aa1dfbeb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
3KB
MD52f8189dba5cb6a7af9ccdc0ca4aeb0a4
SHA19fb7b6184e096fd7a4c3a18e4f0178173b6f9bce
SHA256c772c6584d255f60337db3e1cdbb555d22b319ac13432523f3358c07c0e922d2
SHA5122fe0df6b44761bd3ccb41c17661a1b074ee8e410065d3f90889ab9f2c2bf19e442b0b63cbf4197e0eb73b888507dee4fba012bd2215e987410e2f66613849f51
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
3KB
MD5d7c63d291a7c4a893a6a4c2f848c8324
SHA105fba15c8e2941eefca5141d0962407d6a03dc19
SHA25644d930d57a3682e7079c0e9d73646f10f2988dd4c7d45000ae05ab83d1ecf580
SHA5127c3f4adf0b9dc3ce63be0c85dd809a25d8ca0886c0cf4368748c994842e7075daa02425a0cc5abed177a773cea9034ace9be42c9027b071547ff705d9c6630b1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
3KB
MD548084904f6f53c7e023fccabf3144a52
SHA15201e97818901ac8d6c59218002aecc5090f490c
SHA256dbd1a950dff1d15f1ead3eb92176baafa1967ad2f4cabd8f890be07a4f5d095f
SHA512b175dbfcda7b31847f181cf670a65a0b0f9d4e949d8dae3a98264a2c3855834516763f003431ac206a2dee31a8dbbd2c52fb093520483538c899e49f804af404
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
3KB
MD5f083771c54d6c3799872db5d0e69ee4a
SHA172f2452319be290921f740ee08ee5ffeee708cbd
SHA256f2276de03ab9e96d61f6d655560154e1a5b411bc1567a401f68ee66a01ff3e00
SHA5127651e352bec210294b1db95e58a358c892a4b2376bbb2c664e970c6b1e7f4298e7dbd5f112449f1306372e0bbbe8e23c5cb6018bbe8c67f368b239f4029dafb2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe572a2d.TMPFilesize
1KB
MD5a12da1c90100919a06f8ea2acc9efdf2
SHA18b22a3f08259ce93173f2aac4b4b30e9a08d537f
SHA25666e9e9bbed23da5bae51e00e8b713c72be01902851dfacfebf729f21273a58e5
SHA51225015d7314993a70b3575668d8d40d76614fd227d5e2e623179f68d7baadbcbc9e0cfc69be724d63dc9f8cf8f6b400f68847cc39b5c80a45ef455b68ee5859cc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD5f4d946a4e3d22913fcfa0a3b073eb2f3
SHA197b4b5ddc083f6c112f0eb06d7536c762a3da764
SHA2561dc8c96105cd325030392dba12e0604c19eec0ce580f2966682b755f1d8a0c7f
SHA51288498060a80529bde4fab544b0480df987a493b9b5b16a898f6e850d59f12dfe94c3437bd97168c90056040261012b1819ead5b6b977149805988273fc50e3ac
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD58edec3c7278d7cfd6cd51d63bfd24fa5
SHA1205f1ce7a5d7bba41678ad5e78a7ece6f02905aa
SHA2569d5dec99cdc4b2973e44255dd7b79623febe479dcd18ffa12186df720d705bcd
SHA512fb1f871a00285c2601dc8a64577d421b7b487ad7bc22713b98ced45332bc874186aa534706a563b428cf583b062c9d1ef12467cbb4d02aabe275968b81b3fa1d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
13KB
MD559d3d05c6fa0b45113f9133704c7f1a4
SHA1d61079af8fa71a4763164614b09d875289fd585d
SHA2566078c1069b11cbf2e643683287e717f1d2ce543bb2adb07b855d13b5b6df151e
SHA512ab1f5108530062ac20c10f045ee41c5a888a6c6155e150f95f29838704c6f52072b76f6655d2d560d9b1a4cb4bcd828b4dd41382b8cb5af2311f3efa863890a5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD55bb9c9da6671b56ff1d6f9b0bb7c21ca
SHA1943d0f2425d7888987cae0d74ed472629e689caf
SHA25652285e8d6f341df069d231197510d14e3154aff4de57d2fc607b46b13a0dcbf6
SHA51216b0f7e67a3b39eedb3e71aef627a9a5f0613e9f5ee3f9515676ed582cf59124438e8c155ce29a78c060bd07db1eacb699c9b3b40bf4d9a17f9e59f66b0d1236
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1Filesize
264KB
MD50203e99c0c4713e4486ab18d3ce95257
SHA1c800a1c27d27e43f3ed1200539b774e9d221dd7e
SHA2562bbbbae55f51b30e5745437d10de3b9426b519bbf249960c20795a2105553122
SHA5128374d1b0e5a48696929ce3e9e2883dbd0e043eca7eec72ddcf64eb6b2e56617915b93591444a3e7c14ccdeff105a5f5edae77f022d746a6d6dd343441eb05cc2
-
C:\Users\Admin\AppData\Local\PCHealthCheck\MSVCP140.dllFilesize
570KB
MD59a8f86ddf19228c5a1e1efc0f4744f95
SHA101f7dc5049031abac69600365786e6acbcb5d640
SHA256dd0d31ede2e7ee6134e7d68f036d4f3a6ad57ef8ef33916745401ee5a381ec0a
SHA5122c567bf658a0d25d772b64bf40d3ea0c88a246296d67b3f44c8fcb22ed3a3fed5715e194aa0cea769ade5a94c723ed31cacfaeee75dfcd45fb1581f1292161e0
-
C:\Users\Admin\AppData\Local\PCHealthCheck\PCHealthCheck.exeFilesize
845KB
MD5f19e908aa9cc4f7b250412247fe71f0e
SHA121f688c38ddc04965048863ab4db023cf7b56d18
SHA25635ee51168eabc7fe335930cb47698238b91d0015b04406f21766b604696082d2
SHA512a903801ee625ea197b3887c7041ce3168c4f77110011188310973659564900acfdf1b34c6b71ccfc5189c366e7b467cf931bb62419d7bb3f1c9b997d253eecee
-
C:\Users\Admin\AppData\Local\PCHealthCheck\PCHealthCheck.exeFilesize
845KB
MD5f19e908aa9cc4f7b250412247fe71f0e
SHA121f688c38ddc04965048863ab4db023cf7b56d18
SHA25635ee51168eabc7fe335930cb47698238b91d0015b04406f21766b604696082d2
SHA512a903801ee625ea197b3887c7041ce3168c4f77110011188310973659564900acfdf1b34c6b71ccfc5189c366e7b467cf931bb62419d7bb3f1c9b997d253eecee
-
C:\Users\Admin\AppData\Local\PCHealthCheck\PCHealthCheck.exeFilesize
845KB
MD5f19e908aa9cc4f7b250412247fe71f0e
SHA121f688c38ddc04965048863ab4db023cf7b56d18
SHA25635ee51168eabc7fe335930cb47698238b91d0015b04406f21766b604696082d2
SHA512a903801ee625ea197b3887c7041ce3168c4f77110011188310973659564900acfdf1b34c6b71ccfc5189c366e7b467cf931bb62419d7bb3f1c9b997d253eecee
-
C:\Users\Admin\AppData\Local\PCHealthCheck\PCHealthClient.dllFilesize
89KB
MD581adbaa5d50a19f9b7e93d8b47a457dd
SHA1f3c61b98e5511f56296c7fb728296e763ba2744c
SHA2561695eac9f9d446e12bde3de2ccde84454f2ee07d647dc0ae319f4533339cb8b3
SHA5128220a2ab4d0515d86945285f969898e106f5bca5f4099283adefc99cf76681cf3473f2f765cf1443a71067648b4013135873f1d177b27a1d8ad9dab4e0ec8bfd
-
C:\Users\Admin\AppData\Local\PCHealthCheck\PCHealthClientVB.dllFilesize
103KB
MD564a061b4248e71a92fa7b75bac70ad27
SHA123527d71eb37fea8cab943d1d955a6ad1e380336
SHA256d2470ca8f43480bb485ba0e2033f8a5bc83b5ee4cb4d043c29fcf72c1bb431a5
SHA51256f46ab088395a6a3f08192fa268a8520e8946f66555cdff0c452089794a75e853224cdc5f8c09d41da1ff77469bca4f69d4867ba33c8b9413cf9d3043891912
-
C:\Users\Admin\AppData\Local\PCHealthCheck\VCRUNTIME140.dllFilesize
92KB
MD56e333ddfc7fbbce64e16893994a9e858
SHA17a2147733989b3162dde68f3291f705630f56807
SHA256e45b1cc7e67d398f66f081eaa2fea5b91425ed858b99847e423b104a31605644
SHA512d0799e2de0eac88992e8106e19b99c5bddecda148bbf9fa9da46b77d6cfb112a1731fdc9816f7940c9e7e50cc4b003f232455b0f6d919bb97c954a11479b3afc
-
C:\Users\Admin\AppData\Local\PCHealthCheck\VCRUNTIME140_1.dllFilesize
36KB
MD571dd1c308c320af1232b94859d56c00d
SHA193a363d75875f4d6b0f1d9dd637abc6d261bc07a
SHA256dbc0ae4bb45b84f8f59c81efbccdd6b547e4b4f237ea5453a305345f154cda81
SHA5127156495d6feb323dd16b5d66a9448953b0e308eb6c93056bbfa5a8d4f33670d440365d7c002055cba97ec91183bff535d0f8e795527ad7a6aee0102fdc4d4a42
-
C:\Users\Admin\AppData\Local\PCHealthCheck\en-US\PCHealthCheck.exe.muiFilesize
12KB
MD5c69263a22fcac2a69b0da3cd1ddc29be
SHA12bc32b8e99123dc1539e25226ee88e9f9f1c963e
SHA25624785df44faf11deb8991a37cecf137f0d957ef4c350869f6338d57e16af56b5
SHA512fa5f008326569376aa7f2868da66e517aeaf912daedef14096e9c982f57a565206dd1da20205b80e4d99a55a90a882903a57960111aecddb66730098dfe443cc
-
C:\Users\Admin\AppData\Local\PCHealthCheck\msvcp140.dllFilesize
570KB
MD59a8f86ddf19228c5a1e1efc0f4744f95
SHA101f7dc5049031abac69600365786e6acbcb5d640
SHA256dd0d31ede2e7ee6134e7d68f036d4f3a6ad57ef8ef33916745401ee5a381ec0a
SHA5122c567bf658a0d25d772b64bf40d3ea0c88a246296d67b3f44c8fcb22ed3a3fed5715e194aa0cea769ade5a94c723ed31cacfaeee75dfcd45fb1581f1292161e0
-
C:\Users\Admin\AppData\Local\PCHealthCheck\msvcp140.dllFilesize
570KB
MD59a8f86ddf19228c5a1e1efc0f4744f95
SHA101f7dc5049031abac69600365786e6acbcb5d640
SHA256dd0d31ede2e7ee6134e7d68f036d4f3a6ad57ef8ef33916745401ee5a381ec0a
SHA5122c567bf658a0d25d772b64bf40d3ea0c88a246296d67b3f44c8fcb22ed3a3fed5715e194aa0cea769ade5a94c723ed31cacfaeee75dfcd45fb1581f1292161e0
-
C:\Users\Admin\AppData\Local\PCHealthCheck\pchealthclient.dllFilesize
89KB
MD581adbaa5d50a19f9b7e93d8b47a457dd
SHA1f3c61b98e5511f56296c7fb728296e763ba2744c
SHA2561695eac9f9d446e12bde3de2ccde84454f2ee07d647dc0ae319f4533339cb8b3
SHA5128220a2ab4d0515d86945285f969898e106f5bca5f4099283adefc99cf76681cf3473f2f765cf1443a71067648b4013135873f1d177b27a1d8ad9dab4e0ec8bfd
-
C:\Users\Admin\AppData\Local\PCHealthCheck\pchealthclientvb.dllFilesize
103KB
MD564a061b4248e71a92fa7b75bac70ad27
SHA123527d71eb37fea8cab943d1d955a6ad1e380336
SHA256d2470ca8f43480bb485ba0e2033f8a5bc83b5ee4cb4d043c29fcf72c1bb431a5
SHA51256f46ab088395a6a3f08192fa268a8520e8946f66555cdff0c452089794a75e853224cdc5f8c09d41da1ff77469bca4f69d4867ba33c8b9413cf9d3043891912
-
C:\Users\Admin\AppData\Local\PCHealthCheck\ux\index.htmlFilesize
2KB
MD571ed0c97e939d15a870ba4085c4f3dd4
SHA151af40fba90d8cf7ffbe384771265aea667fedd5
SHA256ac039cfc69a47efd8cc591787434186f05e5804e13c02382b6b091f2d640cb1a
SHA51299a66780412e20ccd3e995a4e2f8fdcec5e0288584f825ec8bdea3c621197f96e1459396813f12d7936d9a40c72d7842c4aa009b4f3013d1eb8a983af586eb72
-
C:\Users\Admin\AppData\Local\PCHealthCheck\ux\static\css\main.ece207ab.chunk.cssFilesize
24KB
MD5ebef55e6187f7b137dc8019530976ac7
SHA11e2b051fb2f5d3b7bb7ffda1bccd1e119e659ddb
SHA256cfb804e2d6dd9ef75a5d349915fe3d89980c460c181412291626fdf42a2873f6
SHA5126d330c282452bb2f33cafd964647194dd449d86d0c9132566c12dacb99ade2065dc860fa6b6c75899d48856d30efb26c0253c112c7a9871307554eac5e729be5
-
C:\Users\Admin\AppData\Local\PCHealthCheck\ux\static\js\2.dc6d7670.chunk.jsFilesize
3.6MB
MD507d12c5b705ac56f9da447592b57651d
SHA1f3dd4cad67c61073b38810bdc757b0355d2bd618
SHA25618533e87b6fb7b996d986f9b16436cafb7dddca49d4fe81ad9a0cbf41bb7f012
SHA512d1500d39c39c63008f41829de07f2d2a8e6735e0fdb3143e89aa93f9663fadc62d246245491785eed304a0997702bc1ad8c790dcc66d70b0606cb54a1cdfadb0
-
C:\Users\Admin\AppData\Local\PCHealthCheck\ux\static\js\main.aa1a6793.chunk.jsFilesize
2.4MB
MD50b4814fb9e53d32339bc6788d69987b1
SHA14da6d03db1964e17af3690356d03715b40c9e744
SHA256e062b79760151e0289fa90fa254d759a511e2c0ecff4f42ad35ef38a3b9bd405
SHA5125ccfa280a54e9f72223c2d51a90d5d3c65cc20ecd4d150b921d5cbccd0f3600c790a67db734361fc838954c8573dd671ae49ebaae1cb2ec82209add2413c1ce1
-
C:\Users\Admin\AppData\Local\PCHealthCheck\ux\static\media\backup-Sync.4e8f0d66.svgFilesize
1KB
MD54e8f0d66f9a6091343e2557b2ee99e0f
SHA1df416f7518d8cc7c6f684fbd0131eaa42134f7b8
SHA2562e544d659bd789ad02551e1fd530151e9f954003e6c557e1dd8e25671e57a18b
SHA512dba9c1c43c75164f496c61d8bb61fb5f4bb39d80c43bbbc18ab1e0f27086ac27c13b30f5c119b0c0a9ca3cc689d8a2a8f4846f6fd6c65f3e649a525538cc5de4
-
C:\Users\Admin\AppData\Local\PCHealthCheck\ux\static\media\fabricmdl2icons-3.54.dfd8f5ee.woffFilesize
180KB
MD5dfd8f5eefdea8140bd579143b292b609
SHA17a92c8baae2d9ffb84e7ad9e283ef3aadce5f5d9
SHA256c196bd11a6ada8107e9f065486e36c8db58b03b529bf891970b9336efd8a6130
SHA512ec546407671e2f3f13b23a767dd301832b10dbb38ccb1562fc4bd5c05ea58e1b74e574e5de07c6b0efa9a47b3e22a342ffac3f288c1d122a46bac6ce28a190fb
-
C:\Users\Admin\AppData\Local\PCHealthCheck\ux\static\media\windows-update.e97ff1f5.svgFilesize
472B
MD5e97ff1f54b804bd98d3bf6d5d507eb98
SHA1cf8e3481e87bf14c0816ea4565ed18b7bf6bfad6
SHA2564e659f6d045a71b7f81cb9d335260387b09f1ae325058c18309902e342b26b62
SHA51249b0a946b83905227a75b521b50cab1d7c3a666151b2ba62f67580248f752bf1ed3121b81735ece4c7d888428965b1e2fbd0f73d02f0781f5a4939183c3ead4c
-
C:\Users\Admin\AppData\Local\PCHealthCheck\ux\static\media\your-device-laptop.9be18575.pngFilesize
17KB
MD59be18575af752058ae68259e032641f8
SHA1780cab25e8248456c445838122a21da8c737cee9
SHA25693d6e81c9b0ae9e2200ff178dbcf08d68968ac11dbe699ca81b67328d7023726
SHA512f417da53bf4bf87963e92272bc0efd5d1e3b56002d3490dd35ee6d7ca580e758a052f9c4cb6c2222057cda1680116dd78c4031c94e3320be4eacfb34a03c5652
-
C:\Users\Admin\AppData\Local\PCHealthCheck\vcruntime140.dllFilesize
92KB
MD56e333ddfc7fbbce64e16893994a9e858
SHA17a2147733989b3162dde68f3291f705630f56807
SHA256e45b1cc7e67d398f66f081eaa2fea5b91425ed858b99847e423b104a31605644
SHA512d0799e2de0eac88992e8106e19b99c5bddecda148bbf9fa9da46b77d6cfb112a1731fdc9816f7940c9e7e50cc4b003f232455b0f6d919bb97c954a11479b3afc
-
C:\Users\Admin\AppData\Local\PCHealthCheck\vcruntime140_1.dllFilesize
36KB
MD571dd1c308c320af1232b94859d56c00d
SHA193a363d75875f4d6b0f1d9dd637abc6d261bc07a
SHA256dbc0ae4bb45b84f8f59c81efbccdd6b547e4b4f237ea5453a305345f154cda81
SHA5127156495d6feb323dd16b5d66a9448953b0e308eb6c93056bbfa5a8d4f33670d440365d7c002055cba97ec91183bff535d0f8e795527ad7a6aee0102fdc4d4a42
-
C:\Users\Admin\AppData\Local\Temp\MSI151A.tmpFilesize
321KB
MD5c8c7e2df180b421ec0b643c05df5295f
SHA1c4dc789c9bda2bd189a4ea561c91c7803a2f3ded
SHA256f147c579b9ce7ab1ee2c1906bb01b78ec324afe4bb5515d6f1276a529cf47fa9
SHA51296d88e818bae3d651e54e3b1c129d4442fe080b13b8b956156abfce5499ea7f2d31e4a9488525a33ee8ba64d699cc0537744a1e8cfd1ab238e553e0bf2f4c11f
-
C:\Users\Admin\AppData\Local\Temp\MSI151A.tmpFilesize
321KB
MD5c8c7e2df180b421ec0b643c05df5295f
SHA1c4dc789c9bda2bd189a4ea561c91c7803a2f3ded
SHA256f147c579b9ce7ab1ee2c1906bb01b78ec324afe4bb5515d6f1276a529cf47fa9
SHA51296d88e818bae3d651e54e3b1c129d4442fe080b13b8b956156abfce5499ea7f2d31e4a9488525a33ee8ba64d699cc0537744a1e8cfd1ab238e553e0bf2f4c11f
-
C:\Users\Admin\AppData\Local\Temp\MSI151A.tmpFilesize
321KB
MD5c8c7e2df180b421ec0b643c05df5295f
SHA1c4dc789c9bda2bd189a4ea561c91c7803a2f3ded
SHA256f147c579b9ce7ab1ee2c1906bb01b78ec324afe4bb5515d6f1276a529cf47fa9
SHA51296d88e818bae3d651e54e3b1c129d4442fe080b13b8b956156abfce5499ea7f2d31e4a9488525a33ee8ba64d699cc0537744a1e8cfd1ab238e553e0bf2f4c11f
-
C:\Users\Admin\AppData\Local\Temp\MSI15C7.tmpFilesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
C:\Users\Admin\AppData\Local\Temp\MSI15C7.tmpFilesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
C:\Users\Admin\AppData\Local\Temp\MSI7A21.tmpFilesize
321KB
MD5c8c7e2df180b421ec0b643c05df5295f
SHA1c4dc789c9bda2bd189a4ea561c91c7803a2f3ded
SHA256f147c579b9ce7ab1ee2c1906bb01b78ec324afe4bb5515d6f1276a529cf47fa9
SHA51296d88e818bae3d651e54e3b1c129d4442fe080b13b8b956156abfce5499ea7f2d31e4a9488525a33ee8ba64d699cc0537744a1e8cfd1ab238e553e0bf2f4c11f
-
C:\Users\Admin\AppData\Local\Temp\MSI7A21.tmpFilesize
321KB
MD5c8c7e2df180b421ec0b643c05df5295f
SHA1c4dc789c9bda2bd189a4ea561c91c7803a2f3ded
SHA256f147c579b9ce7ab1ee2c1906bb01b78ec324afe4bb5515d6f1276a529cf47fa9
SHA51296d88e818bae3d651e54e3b1c129d4442fe080b13b8b956156abfce5499ea7f2d31e4a9488525a33ee8ba64d699cc0537744a1e8cfd1ab238e553e0bf2f4c11f
-
C:\Users\Admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\logo.pngFilesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
202B
MD54566d1d70073cd75fe35acb78ff9d082
SHA1f602ecc057a3c19aa07671b34b4fdd662aa033cc
SHA256fe33f57205e2ebb981c4744d5a4ddc231f587a9a0589e6565c52e1051eadb0c0
SHA512b9584ebfdd25cc588162dd6525a399c72ac03bf0c61709b96a19feba7217d840ae2c60d7b0d3b43307a2776f497a388e79ef8a646c12ae59a7f5cc4789bbf3c8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-msFilesize
3KB
MD54c75333c8e5df5d709d5f26ccf868bb8
SHA151b2cc46316609706ddff70afa753c0ea40e57b5
SHA25660d1539c09ca18e3df1fc83a9a767a07efc9ae227af0e40f9a89174827788a14
SHA512dbf2f3164ca657c1a9fc8f8d93bace432c4ae0d606f2a4fedecf53661723f0384171d0b2eac467038c7ad8f2ad36a1cc1926222d5c4cee30d0970f21bb391545
-
C:\Users\Admin\Downloads\NoEscape.exe.zipFilesize
13.5MB
MD5660708319a500f1865fa9d2fadfa712d
SHA1b2ae3aef17095ab26410e0f1792a379a4a2966f8
SHA256542c2e1064be8cd8393602f63b793e9d34eb81b1090a3c80623777f17fa25c6c
SHA51218f10a71dc0af70494554b400bdf09d43e1cb7e93f9c1e7470ee4c76cd46cb4fbf990354bbbd3b89c9b9bda38ad44868e1087fd75a7692ad889b14e7e1a20517
-
C:\Users\Admin\Downloads\Unconfirmed 548120.crdownloadFilesize
13.6MB
MD519f9f47364bed03c75d1d252e37abcb6
SHA15ce9a73a810d5d7b4fd20354c26193c64cfc8ee2
SHA256e03116d3adc17172613d80ea0c09316a56c296644e1fad29b80c901045815123
SHA512640d7d723251bd7c2c9baf35994fbfb3aca07553060100c3d809cf724e9f4bba6b195b770138968e4b7277e6750ffc46c6d5934c6eae8950b1664364b9eab0bf
-
C:\Users\Admin\Downloads\WindowsPCHealthCheckSetup.msiFilesize
13.6MB
MD519f9f47364bed03c75d1d252e37abcb6
SHA15ce9a73a810d5d7b4fd20354c26193c64cfc8ee2
SHA256e03116d3adc17172613d80ea0c09316a56c296644e1fad29b80c901045815123
SHA512640d7d723251bd7c2c9baf35994fbfb3aca07553060100c3d809cf724e9f4bba6b195b770138968e4b7277e6750ffc46c6d5934c6eae8950b1664364b9eab0bf
-
C:\Users\Public\Desktop\᫂අറⴚ♗⮞୴ჩᝊᝏ⇕፳ⵆ⯣ⱻ࣎ڄᔎᏨᆺFilesize
666B
MD5e49f0a8effa6380b4518a8064f6d240b
SHA1ba62ffe370e186b7f980922067ac68613521bd51
SHA2568dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13
SHA512de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4
-
C:\Windows\Installer\MSIF87A.tmpFilesize
321KB
MD5c8c7e2df180b421ec0b643c05df5295f
SHA1c4dc789c9bda2bd189a4ea561c91c7803a2f3ded
SHA256f147c579b9ce7ab1ee2c1906bb01b78ec324afe4bb5515d6f1276a529cf47fa9
SHA51296d88e818bae3d651e54e3b1c129d4442fe080b13b8b956156abfce5499ea7f2d31e4a9488525a33ee8ba64d699cc0537744a1e8cfd1ab238e553e0bf2f4c11f
-
C:\Windows\Installer\MSIF87A.tmpFilesize
321KB
MD5c8c7e2df180b421ec0b643c05df5295f
SHA1c4dc789c9bda2bd189a4ea561c91c7803a2f3ded
SHA256f147c579b9ce7ab1ee2c1906bb01b78ec324afe4bb5515d6f1276a529cf47fa9
SHA51296d88e818bae3d651e54e3b1c129d4442fe080b13b8b956156abfce5499ea7f2d31e4a9488525a33ee8ba64d699cc0537744a1e8cfd1ab238e553e0bf2f4c11f
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.0MB
MD59811ea3e128176a78c5d0ad981be5f82
SHA1510b3b24e05e5fcc2da3966229b408bf839f9a6a
SHA25616f01d7ab3eb0e54b87f78106f6088a97e2be5d5f69468418cbcbabb5f452002
SHA51277a8d6201fe92b82721fc4f9742c9653509ff750de8df50bc66173892420c8d64e97a4496f2b6fd0f168e5229d32e7b7044e9245e75b031b5ecc0ca39a036eee
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\Volume{c9ab6598-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{e2acdb3c-4535-4307-a80e-9ebbe09d6a96}_OnDiskSnapshotPropFilesize
5KB
MD5c5ebbe2b3a46b2fa44bc30d524460678
SHA1715fbf3ea79cbfce64f38ac636937928f47908d3
SHA2564f6d320a9df68b35dc84d3f14aeda034d6bee5243845db0bd5afa629cdd9ada9
SHA512b969b70029701a223b2ad6c73d74a10f1e07be222843267270dc1d099fc819133b55f8b1aa509039a2aaab240257644d1db4baa435951cde7b53eb16866b03d3
-
\??\pipe\LOCAL\crashpad_3256_ZMXDRCYFHDNVDBNTMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/4980-2047-0x0000000000400000-0x00000000005CC000-memory.dmpFilesize
1.8MB
-
memory/4980-1871-0x0000000000400000-0x00000000005CC000-memory.dmpFilesize
1.8MB
-
memory/5200-1005-0x000002B805180000-0x000002B805280000-memory.dmpFilesize
1024KB
-
memory/5928-1753-0x00007FFED4B80000-0x00007FFED4B90000-memory.dmpFilesize
64KB
-
memory/5928-1754-0x00007FFED4B80000-0x00007FFED4B90000-memory.dmpFilesize
64KB
-
memory/5928-1752-0x00007FFED7430000-0x00007FFED7440000-memory.dmpFilesize
64KB
-
memory/5928-1787-0x00007FFED7430000-0x00007FFED7440000-memory.dmpFilesize
64KB
-
memory/5928-1788-0x00007FFED7430000-0x00007FFED7440000-memory.dmpFilesize
64KB
-
memory/5928-1790-0x00007FFED7430000-0x00007FFED7440000-memory.dmpFilesize
64KB
-
memory/5928-1789-0x00007FFED7430000-0x00007FFED7440000-memory.dmpFilesize
64KB
-
memory/5928-1751-0x00007FFED7430000-0x00007FFED7440000-memory.dmpFilesize
64KB
-
memory/5928-1749-0x00007FFED7430000-0x00007FFED7440000-memory.dmpFilesize
64KB
-
memory/5928-1750-0x00007FFED7430000-0x00007FFED7440000-memory.dmpFilesize
64KB
-
memory/5928-1748-0x00007FFED7430000-0x00007FFED7440000-memory.dmpFilesize
64KB