laplas | hxxps://www[.]dropbox[.]com/s/zj7cz5633tszjk3/Zafiro%20EA%20MFF%20v1[.]13%20%2B%20Zafiro%20EA%20FTMO%20v1[.]13[.]zip?dl=0

max time kernel
596s
max time network
1495s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2023 09:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.dropbox.com/s/zj7cz5633tszjk3/Zafiro%20EA%20MFF%20v1.13%20%2B%20Zafiro%20EA%20FTMO%20v1.13.zip?dl=0

Score

10^/10

laplas vidar 2ca19830ec2c67b5159166c89d3ebb74 clipper evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

vidar

Version

4.2

Botnet

2ca19830ec2c67b5159166c89d3ebb74

https://steamcommunity.com/profiles/76561199511129510

https://t.me/rechnungsbetrag

Attributes

profile_id_v2
2ca19830ec2c67b5159166c89d3ebb74
user_agent
Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.38 Safari/537.36 Brave/75

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 24 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	73931693580275876528.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	34718169297258521871.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	52640177584545636565.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	48860180401457322117.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	91196299514275159653.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	13100886574642325830.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	40070710336698156195.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	32303000205236744822.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	95358271976845248448.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	27639223433003590534.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	97611042725250258194.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	68453887710495628565.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	84327230619354191524.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	78096539593513297728.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ntlhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	04577416811103597989.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	08073082593105840817.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	49774153538682474189.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	68069148471443146625.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	32555750288956129489.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	59998487908007859694.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	75078446944525282934.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	79750628408281217578.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	16607747246600108344.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 48 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	27639223433003590534.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	75078446944525282934.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	95358271976845248448.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	32555750288956129489.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	32555750288956129489.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	34718169297258521871.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	97611042725250258194.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	75078446944525282934.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	84327230619354191524.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	08073082593105840817.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	32303000205236744822.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	32303000205236744822.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	27639223433003590534.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	13100886574642325830.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	79750628408281217578.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	79750628408281217578.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	78096539593513297728.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	78096539593513297728.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	04577416811103597989.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	49774153538682474189.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	40070710336698156195.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	68069148471443146625.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	16607747246600108344.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	52640177584545636565.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	04577416811103597989.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	40070710336698156195.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	73931693580275876528.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	95358271976845248448.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	84327230619354191524.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	08073082593105840817.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	13100886574642325830.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	34718169297258521871.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	68453887710495628565.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	91196299514275159653.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	59998487908007859694.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	68453887710495628565.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	48860180401457322117.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	59998487908007859694.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	97611042725250258194.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	52640177584545636565.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	48860180401457322117.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	49774153538682474189.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	68069148471443146625.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	73931693580275876528.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	16607747246600108344.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	91196299514275159653.exe

Executes dropped EXE 24 IoCs

pid	Process
4220	68069148471443146625.exe
2084	ntlhost.exe
4688	32303000205236744822.exe
2744	73931693580275876528.exe
4368	95358271976845248448.exe
1272	16607747246600108344.exe
2572	32555750288956129489.exe
380	59998487908007859694.exe
772	27639223433003590534.exe
4644	34718169297258521871.exe
1404	97611042725250258194.exe
540	75078446944525282934.exe
4008	68453887710495628565.exe
4348	84327230619354191524.exe
2600	78096539593513297728.exe
4892	52640177584545636565.exe
4684	48860180401457322117.exe
976	04577416811103597989.exe
632	08073082593105840817.exe
5068	49774153538682474189.exe
1264	91196299514275159653.exe
3384	13100886574642325830.exe
3256	40070710336698156195.exe
3584	79750628408281217578.exe

Loads dropped DLL 48 IoCs

pid	Process
5072	zalu.exe
5072	zalu.exe
976	zalu.exe
976	zalu.exe
4596	zalu.exe
4596	zalu.exe
2216	zalu.exe
2216	zalu.exe
2880	zalu.exe
2880	zalu.exe
2364	zalu.exe
2364	zalu.exe
3292	zalu.exe
3292	zalu.exe
2796	zalu.exe
2796	zalu.exe
2344	zalu.exe
2344	zalu.exe
1060	zalu.exe
1060	zalu.exe
3956	zalu.exe
3956	zalu.exe
1476	zalu.exe
1476	zalu.exe
2640	zalu.exe
2640	zalu.exe
1352	zalu.exe
1352	zalu.exe
2772	zalu.exe
2772	zalu.exe
3588	zalu.exe
3588	zalu.exe
2780	zalu.exe
2780	zalu.exe
4008	zalu.exe
4008	zalu.exe
5072	zalu.exe
5072	zalu.exe
2844	zalu.exe
2844	zalu.exe
2580	zalu.exe
2580	zalu.exe
4360	zalu.exe
4360	zalu.exe
4120	zalu.exe
4120	zalu.exe
1052	zalu.exe
1052	zalu.exe

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	68069148471443146625.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	40070710336698156195.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	32303000205236744822.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	16607747246600108344.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	59998487908007859694.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	48860180401457322117.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	13100886574642325830.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	75078446944525282934.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	49774153538682474189.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	79750628408281217578.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	68069148471443146625.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	95358271976845248448.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	27639223433003590534.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	34718169297258521871.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	84327230619354191524.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	78096539593513297728.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	52640177584545636565.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	08073082593105840817.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	91196299514275159653.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	73931693580275876528.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	32555750288956129489.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	97611042725250258194.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	68453887710495628565.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	04577416811103597989.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 23 IoCs

pid	Process
4220	68069148471443146625.exe
2084	ntlhost.exe
4688	32303000205236744822.exe
2744	73931693580275876528.exe
4368	95358271976845248448.exe
1272	16607747246600108344.exe
2572	32555750288956129489.exe
380	59998487908007859694.exe
772	27639223433003590534.exe
4644	34718169297258521871.exe
1404	97611042725250258194.exe
540	75078446944525282934.exe
4008	68453887710495628565.exe
4348	84327230619354191524.exe
2600	78096539593513297728.exe
4684	48860180401457322117.exe
976	04577416811103597989.exe
632	08073082593105840817.exe
5068	49774153538682474189.exe
1264	91196299514275159653.exe
3384	13100886574642325830.exe
3256	40070710336698156195.exe
3584	79750628408281217578.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\a0cb739b-6dcb-415b-abd6-c9cf73eea739.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230608091507.pma	setup.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
912	2580	WerFault.exe	195
3080	4360	WerFault.exe	200

Checks processor information in registry 2 TTPs 51 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	zalu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zalu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zalu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	zalu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zalu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zalu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	zalu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zalu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zalu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zalu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zalu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zalu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	zalu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zalu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zalu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zalu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	zalu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	zalu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	zalu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	zalu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zalu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zalu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	zalu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	zalu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zalu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	zalu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zalu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	zalu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	zalu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	zalu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	zalu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	zalu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	zalu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	zalu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	zalu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zalu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zalu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	zalu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	zalu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zalu.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zalu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zalu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	zalu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	zalu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	zalu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zalu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zalu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zalu.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	151	Go-http-client/1.1

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2805025096-2326403612-4231045514-1000\{A8C2F676-11B0-48E3-8693-CC3517AD2E0C}	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	msedge.exe

Opens file in notepad (likely ransom note) 3 IoCs

ransomware

pid	Process
3204	notepad.exe
3880	NOTEPAD.EXE
4892	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3628	powershell.exe
3628	powershell.exe
1828	msedge.exe
1828	msedge.exe
3376	msedge.exe
3376	msedge.exe
2012	msedge.exe
2012	msedge.exe
868	msedge.exe
3672	identity_helper.exe
3672	identity_helper.exe
2216	msedge.exe
2216	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
5040	powershell_ise.exe
5040	powershell_ise.exe
5040	powershell_ise.exe
5072	zalu.exe
5072	zalu.exe
4568	powershell.exe
4568	powershell.exe
4568	powershell.exe
2780	powershell.exe
2780	powershell.exe
2780	powershell.exe
976	zalu.exe
976	zalu.exe
4596	zalu.exe
4596	zalu.exe
2216	zalu.exe
2216	zalu.exe
2880	zalu.exe
2880	zalu.exe
2364	zalu.exe
2364	zalu.exe
3292	zalu.exe
3292	zalu.exe
2796	zalu.exe
2796	zalu.exe
2344	zalu.exe
2344	zalu.exe
1060	zalu.exe
1060	zalu.exe
3956	zalu.exe
3956	zalu.exe
1476	zalu.exe
1476	zalu.exe
2640	zalu.exe
2640	zalu.exe
1352	zalu.exe
1352	zalu.exe
2772	zalu.exe
2772	zalu.exe
3588	zalu.exe
3588	zalu.exe
2780	zalu.exe
2780	zalu.exe
4008	zalu.exe
4008	zalu.exe
5072	zalu.exe
5072	zalu.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3628	powershell.exe
Token: SeDebugPrivilege	5040	powershell_ise.exe
Token: SeDebugPrivilege	4568	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe

Suspicious use of FindShellTrayWindow 17 IoCs

pid	Process
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
3376	msedge.exe
5040	powershell_ise.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3376 wrote to memory of 3412	3376	msedge.exe	87
PID 3376 wrote to memory of 3412	3376	msedge.exe	87
PID 3376 wrote to memory of 776	3376	msedge.exe	88
PID 3376 wrote to memory of 776	3376	msedge.exe	88
PID 3376 wrote to memory of 776	3376	msedge.exe	88
PID 3376 wrote to memory of 776	3376	msedge.exe	88
PID 3376 wrote to memory of 776	3376	msedge.exe	88
PID 3376 wrote to memory of 776	3376	msedge.exe	88
PID 3376 wrote to memory of 776	3376	msedge.exe	88
PID 3376 wrote to memory of 776	3376	msedge.exe	88
PID 3376 wrote to memory of 776	3376	msedge.exe	88
PID 3376 wrote to memory of 776	3376	msedge.exe	88
PID 3376 wrote to memory of 776	3376	msedge.exe	88
PID 3376 wrote to memory of 776	3376	msedge.exe	88
PID 3376 wrote to memory of 776	3376	msedge.exe	88
PID 3376 wrote to memory of 776	3376	msedge.exe	88
PID 3376 wrote to memory of 776	3376	msedge.exe	88
PID 3376 wrote to memory of 776	3376	msedge.exe	88
PID 3376 wrote to memory of 776	3376	msedge.exe	88
PID 3376 wrote to memory of 776	3376	msedge.exe	88
PID 3376 wrote to memory of 776	3376	msedge.exe	88
PID 3376 wrote to memory of 776	3376	msedge.exe	88
PID 3376 wrote to memory of 776	3376	msedge.exe	88
PID 3376 wrote to memory of 776	3376	msedge.exe	88
PID 3376 wrote to memory of 776	3376	msedge.exe	88
PID 3376 wrote to memory of 776	3376	msedge.exe	88
PID 3376 wrote to memory of 776	3376	msedge.exe	88
PID 3376 wrote to memory of 776	3376	msedge.exe	88
PID 3376 wrote to memory of 776	3376	msedge.exe	88
PID 3376 wrote to memory of 776	3376	msedge.exe	88
PID 3376 wrote to memory of 776	3376	msedge.exe	88
PID 3376 wrote to memory of 776	3376	msedge.exe	88
PID 3376 wrote to memory of 776	3376	msedge.exe	88
PID 3376 wrote to memory of 776	3376	msedge.exe	88
PID 3376 wrote to memory of 776	3376	msedge.exe	88
PID 3376 wrote to memory of 776	3376	msedge.exe	88
PID 3376 wrote to memory of 776	3376	msedge.exe	88
PID 3376 wrote to memory of 776	3376	msedge.exe	88
PID 3376 wrote to memory of 776	3376	msedge.exe	88
PID 3376 wrote to memory of 776	3376	msedge.exe	88
PID 3376 wrote to memory of 776	3376	msedge.exe	88
PID 3376 wrote to memory of 776	3376	msedge.exe	88
PID 3376 wrote to memory of 1828	3376	msedge.exe	89
PID 3376 wrote to memory of 1828	3376	msedge.exe	89
PID 3376 wrote to memory of 8	3376	msedge.exe	91
PID 3376 wrote to memory of 8	3376	msedge.exe	91
PID 3376 wrote to memory of 8	3376	msedge.exe	91
PID 3376 wrote to memory of 8	3376	msedge.exe	91
PID 3376 wrote to memory of 8	3376	msedge.exe	91
PID 3376 wrote to memory of 8	3376	msedge.exe	91
PID 3376 wrote to memory of 8	3376	msedge.exe	91
PID 3376 wrote to memory of 8	3376	msedge.exe	91
PID 3376 wrote to memory of 8	3376	msedge.exe	91
PID 3376 wrote to memory of 8	3376	msedge.exe	91
PID 3376 wrote to memory of 8	3376	msedge.exe	91
PID 3376 wrote to memory of 8	3376	msedge.exe	91
PID 3376 wrote to memory of 8	3376	msedge.exe	91
PID 3376 wrote to memory of 8	3376	msedge.exe	91
PID 3376 wrote to memory of 8	3376	msedge.exe	91
PID 3376 wrote to memory of 8	3376	msedge.exe	91
PID 3376 wrote to memory of 8	3376	msedge.exe	91
PID 3376 wrote to memory of 8	3376	msedge.exe	91
PID 3376 wrote to memory of 8	3376	msedge.exe	91
PID 3376 wrote to memory of 8	3376	msedge.exe	91

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start shell:Appsfolder\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge https://www.dropbox.com/s/zj7cz5633tszjk3/Zafiro%20EA%20MFF%20v1.13%20%2B%20Zafiro%20EA%20FTMO%20v1.13.zip?dl=0
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-redirect=Windows.Launch https://www.dropbox.com/s/zj7cz5633tszjk3/Zafiro%20EA%20MFF%20v1.13%20%2B%20Zafiro%20EA%20FTMO%20v1.13.zip?dl=0
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9715b46f8,0x7ff9715b4708,0x7ff9715b4718
  2⤵
  PID:3412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,11678516576070561441,17540989933128700446,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,11678516576070561441,17540989933128700446,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,11678516576070561441,17540989933128700446,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
  2⤵
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,11678516576070561441,17540989933128700446,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,11678516576070561441,17540989933128700446,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2096,11678516576070561441,17540989933128700446,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5264 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2096,11678516576070561441,17540989933128700446,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5192 /prefetch:8
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=2096,11678516576070561441,17540989933128700446,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=5512 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,11678516576070561441,17540989933128700446,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
  2⤵
  PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,11678516576070561441,17540989933128700446,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:1
  2⤵
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,11678516576070561441,17540989933128700446,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1
  2⤵
  PID:1116
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,11678516576070561441,17540989933128700446,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6176 /prefetch:8
  2⤵
  PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:4336
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6853c5460,0x7ff6853c5470,0x7ff6853c5480
    3⤵
    PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,11678516576070561441,17540989933128700446,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6176 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,11678516576070561441,17540989933128700446,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:3752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,11678516576070561441,17540989933128700446,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:1
  2⤵
  PID:2820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,11678516576070561441,17540989933128700446,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=900 /prefetch:1
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,11678516576070561441,17540989933128700446,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1152 /prefetch:1
  2⤵
  PID:2868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,11678516576070561441,17540989933128700446,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3108 /prefetch:8
  2⤵
  PID:2744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,11678516576070561441,17540989933128700446,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6536 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,11678516576070561441,17540989933128700446,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5052 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2364

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1340

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4296

C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe" "C:\Users\Admin\Desktop\ConfirmSend.ps1"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5040
- C:\Windows\system32\wermgr.exe
  "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5040" "3148" "3108" "3152" "0" "0" "3156" "0" "0" "0" "0" "0"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:3216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2780

C:\Users\Admin\Desktop\zalu.exe
"C:\Users\Admin\Desktop\zalu.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5072
- C:\ProgramData\68069148471443146625.exe
  "C:\ProgramData\68069148471443146625.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:4220
- - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:2084

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\StopRead.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
PID:1424

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe" "C:\Users\Admin\Desktop\ConfirmSend.ps1"
1⤵
- Opens file in notepad (likely ransom note)
PID:3204

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\Admin\Desktop\ConfirmSend.ps1'"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4568

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:816

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ConfirmSend.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:3880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\ConfirmSend.bat" "
1⤵
PID:3628
- C:\Users\Admin\Desktop\zalu.exe
  zalu.exe
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:976
- - C:\ProgramData\32303000205236744822.exe
    "C:\ProgramData\32303000205236744822.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:4688

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ConfirmSend.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:4892

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\ConfirmSend.bat"
1⤵
PID:4728
- C:\Users\Admin\Desktop\zalu.exe
  zalu.exe
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:4596
- - C:\ProgramData\73931693580275876528.exe
    "C:\ProgramData\73931693580275876528.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:2744
- C:\Users\Admin\Desktop\zalu.exe
  zalu.exe
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2216
- - C:\ProgramData\95358271976845248448.exe
    "C:\ProgramData\95358271976845248448.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:4368
- C:\Users\Admin\Desktop\zalu.exe
  zalu.exe
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2880
- - C:\ProgramData\16607747246600108344.exe
    "C:\ProgramData\16607747246600108344.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:1272
- C:\Users\Admin\Desktop\zalu.exe
  zalu.exe
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2364
- - C:\ProgramData\32555750288956129489.exe
    "C:\ProgramData\32555750288956129489.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:2572
- C:\Users\Admin\Desktop\zalu.exe
  zalu.exe
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:3292
- - C:\ProgramData\59998487908007859694.exe
    "C:\ProgramData\59998487908007859694.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:380
- C:\Users\Admin\Desktop\zalu.exe
  zalu.exe
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2796
- - C:\ProgramData\27639223433003590534.exe
    "C:\ProgramData\27639223433003590534.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:772
- C:\Users\Admin\Desktop\zalu.exe
  zalu.exe
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2344
- - C:\ProgramData\34718169297258521871.exe
    "C:\ProgramData\34718169297258521871.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:4644
- C:\Users\Admin\Desktop\zalu.exe
  zalu.exe
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1060
- - C:\ProgramData\97611042725250258194.exe
    "C:\ProgramData\97611042725250258194.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:1404
- C:\Users\Admin\Desktop\zalu.exe
  zalu.exe
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:3956
- - C:\ProgramData\75078446944525282934.exe
    "C:\ProgramData\75078446944525282934.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:540
- C:\Users\Admin\Desktop\zalu.exe
  zalu.exe
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1476
- - C:\ProgramData\68453887710495628565.exe
    "C:\ProgramData\68453887710495628565.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:4008
- C:\Users\Admin\Desktop\zalu.exe
  zalu.exe
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2640
- - C:\ProgramData\84327230619354191524.exe
    "C:\ProgramData\84327230619354191524.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:4348
- C:\Users\Admin\Desktop\zalu.exe
  zalu.exe
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1352
- - C:\ProgramData\78096539593513297728.exe
    "C:\ProgramData\78096539593513297728.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:2600
- C:\Users\Admin\Desktop\zalu.exe
  zalu.exe
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2772
- - C:\ProgramData\52640177584545636565.exe
    "C:\ProgramData\52640177584545636565.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    PID:4892
- C:\Users\Admin\Desktop\zalu.exe
  zalu.exe
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:3588
- - C:\ProgramData\48860180401457322117.exe
    "C:\ProgramData\48860180401457322117.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:4684
- C:\Users\Admin\Desktop\zalu.exe
  zalu.exe
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2780
- - C:\ProgramData\04577416811103597989.exe
    "C:\ProgramData\04577416811103597989.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:976
- C:\Users\Admin\Desktop\zalu.exe
  zalu.exe
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:4008
- - C:\ProgramData\08073082593105840817.exe
    "C:\ProgramData\08073082593105840817.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:632
- C:\Users\Admin\Desktop\zalu.exe
  zalu.exe
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:5072
- - C:\ProgramData\49774153538682474189.exe
    "C:\ProgramData\49774153538682474189.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:5068
- C:\Users\Admin\Desktop\zalu.exe
  zalu.exe
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  PID:2844
- - C:\ProgramData\91196299514275159653.exe
    "C:\ProgramData\91196299514275159653.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:1264
- C:\Users\Admin\Desktop\zalu.exe
  zalu.exe
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  PID:2580
- - C:\ProgramData\13100886574642325830.exe
    "C:\ProgramData\13100886574642325830.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:3384
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 1784
    3⤵
    - Program crash
    PID:912
- C:\Users\Admin\Desktop\zalu.exe
  zalu.exe
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  PID:4360
- - C:\ProgramData\40070710336698156195.exe
    "C:\ProgramData\40070710336698156195.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:3256
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 1772
    3⤵
    - Program crash
    PID:3080
- C:\Users\Admin\Desktop\zalu.exe
  zalu.exe
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  PID:4120
- - C:\ProgramData\79750628408281217578.exe
    "C:\ProgramData\79750628408281217578.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:3584
- C:\Users\Admin\Desktop\zalu.exe
  zalu.exe
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  PID:1052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2580 -ip 2580
1⤵
PID:2388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4360 -ip 4360
1⤵
PID:2380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\00826287015071209533648075

Filesize
92KB

MD5
651d855bcf44adceccfd3fffcd32956d

SHA1
45ac6cb8bd69976f45a37bf86193bd4c8e03fce9

SHA256
4ada554163d26c8a3385d4fe372fc132971c867e23927a35d72a98aadb25b57b

SHA512
67b4683a4e780093e5b3e73ea906a42c74f96a9234845114e0ea6e61ab0308c2e5b7f12d3428ce5bf48928863c102f57c011f9cdc4589d2d82c078b3db70c31f

Download Submit
C:\ProgramData\25946502578534740446741387

Filesize
20KB

MD5
a69afc9a6bde571bff04f11bd2202a4a

SHA1
a6ce9ee58729c8265894d588372429812e9b21a0

SHA256
c1199076f9b8419d868748f6b71d7713cd18b3844f4d8d5ea26979bdae9c1e7a

SHA512
262d0e9dc269820f52317a1e4112432a2a4398736313abcc7840d811ed9135452a20684ae246fa0b5f2428f1bb7b626f9e58a78028bd979952990bdce535d05c

Download Submit
C:\ProgramData\30072368495344701798432321

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\ProgramData\32303000205236744822.exe

Filesize
3.7MB

MD5
ccf4763882256111f713d881ad7d9aa9

SHA1
507297f20fd3fbda9a8cd426bbcffdeb8e4e8ab1

SHA256
59d9b80d021e8dc40f387d759ce6f77c56330a07352c0238f1768116cf80ebf7

SHA512
53d20ba5739d1205be1b16966d981881ea8c9b0b8c9880b1e407f354e025b6ccae61e653b78d6a9e3d9c5023ff09143b365545c411809b645ac24f8620580416

Download Submit
C:\ProgramData\32303000205236744822.exe

Filesize
3.7MB

MD5
ccf4763882256111f713d881ad7d9aa9

SHA1
507297f20fd3fbda9a8cd426bbcffdeb8e4e8ab1

SHA256
59d9b80d021e8dc40f387d759ce6f77c56330a07352c0238f1768116cf80ebf7

SHA512
53d20ba5739d1205be1b16966d981881ea8c9b0b8c9880b1e407f354e025b6ccae61e653b78d6a9e3d9c5023ff09143b365545c411809b645ac24f8620580416

Download Submit
C:\ProgramData\53694094121272323964213915

Filesize
20KB

MD5
f48964b2cd63e0f849e74863fcb15ff4

SHA1
26e5b28b0c34ff6bef0d5cdb27cca972b11e9ec6

SHA256
79f4ede910eac8f72f74235ad16f9543003ce105157545482f09e13afb6f3639

SHA512
0221cd57c8401c92fc83c763c928271c1aa4dd975b671ef1f8c20f9f56ba4556f02f7ed9b8e8d3afa3f8e89328b7f24ca5cecf38df95ae1968e3cfd468626c6c

Download Submit
C:\ProgramData\68032164403130668738204776

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\ProgramData\68069148471443146625.exe

Filesize
3.7MB

MD5
ccf4763882256111f713d881ad7d9aa9

SHA1
507297f20fd3fbda9a8cd426bbcffdeb8e4e8ab1

SHA256
59d9b80d021e8dc40f387d759ce6f77c56330a07352c0238f1768116cf80ebf7

SHA512
53d20ba5739d1205be1b16966d981881ea8c9b0b8c9880b1e407f354e025b6ccae61e653b78d6a9e3d9c5023ff09143b365545c411809b645ac24f8620580416

Download Submit
C:\ProgramData\68069148471443146625.exe

Filesize
3.7MB

MD5
ccf4763882256111f713d881ad7d9aa9

SHA1
507297f20fd3fbda9a8cd426bbcffdeb8e4e8ab1

SHA256
59d9b80d021e8dc40f387d759ce6f77c56330a07352c0238f1768116cf80ebf7

SHA512
53d20ba5739d1205be1b16966d981881ea8c9b0b8c9880b1e407f354e025b6ccae61e653b78d6a9e3d9c5023ff09143b365545c411809b645ac24f8620580416

Download Submit
C:\ProgramData\68069148471443146625.exe

Filesize
3.7MB

MD5
ccf4763882256111f713d881ad7d9aa9

SHA1
507297f20fd3fbda9a8cd426bbcffdeb8e4e8ab1

SHA256
59d9b80d021e8dc40f387d759ce6f77c56330a07352c0238f1768116cf80ebf7

SHA512
53d20ba5739d1205be1b16966d981881ea8c9b0b8c9880b1e407f354e025b6ccae61e653b78d6a9e3d9c5023ff09143b365545c411809b645ac24f8620580416

Download Submit
C:\ProgramData\72711061430777737183989731

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\ProgramData\73931693580275876528.exe

Filesize
3.7MB

MD5
ccf4763882256111f713d881ad7d9aa9

SHA1
507297f20fd3fbda9a8cd426bbcffdeb8e4e8ab1

SHA256
59d9b80d021e8dc40f387d759ce6f77c56330a07352c0238f1768116cf80ebf7

SHA512
53d20ba5739d1205be1b16966d981881ea8c9b0b8c9880b1e407f354e025b6ccae61e653b78d6a9e3d9c5023ff09143b365545c411809b645ac24f8620580416

Download Submit
C:\ProgramData\73931693580275876528.exe

Filesize
3.7MB

MD5
ccf4763882256111f713d881ad7d9aa9

SHA1
507297f20fd3fbda9a8cd426bbcffdeb8e4e8ab1

SHA256
59d9b80d021e8dc40f387d759ce6f77c56330a07352c0238f1768116cf80ebf7

SHA512
53d20ba5739d1205be1b16966d981881ea8c9b0b8c9880b1e407f354e025b6ccae61e653b78d6a9e3d9c5023ff09143b365545c411809b645ac24f8620580416

Download Submit
C:\ProgramData\84192515479556386521744478

Filesize
20KB

MD5
6402513f70a74f086891d11230bf2da6

SHA1
693940238b86d001cec4d8f3f5ecb31846abcf2e

SHA256
732941447a67b90a13dd53c9e8f754aa76387fa2f1ec3b56f4c283fd8f3daacd

SHA512
a4231f0b2a24206c5f1e112c331eaa9f8d9a02ae9d95e9f987188a2b46c352968be27864ad9c8a7f9d98748afe88be98fbf33eba9794de620e94eea7abf768d2

Download Submit
C:\ProgramData\89861846514005747335408892

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\ProgramData\91609480322055791477323269

Filesize
20KB

MD5
a1605a38f21d6c6e1d93bbb65fdb57bc

SHA1
f75a3c3dd3a7779e3f53fb74471e1230cdae7759

SHA256
0bc374ff35e394d26dacd59df55ab0c648ec1c0808e576f2ed0597649580332e

SHA512
e5689d8b9dc4da1f142996ad64fb64cf1494a7010555d40b42ec837589838d5abdd2c37ee07d4c1226d04dd4fd883b01cb7b832b3334bf05da37d5cf6aa60067

Download Submit
C:\ProgramData\96284290573215481310990752

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\ProgramData\freebl3.dll

Filesize
669KB

MD5
550686c0ee48c386dfcb40199bd076ac

SHA1
ee5134da4d3efcb466081fb6197be5e12a5b22ab

SHA256
edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa

SHA512
0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

Download Submit
C:\ProgramData\freebl3.dll

Filesize
669KB

MD5
550686c0ee48c386dfcb40199bd076ac

SHA1
ee5134da4d3efcb466081fb6197be5e12a5b22ab

SHA256
edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa

SHA512
0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

Download Submit
C:\ProgramData\freebl3.dll

Filesize
669KB

MD5
550686c0ee48c386dfcb40199bd076ac

SHA1
ee5134da4d3efcb466081fb6197be5e12a5b22ab

SHA256
edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa

SHA512
0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\mozglue.dll

Filesize
272KB

MD5
8343c90bbfc355f73afc7e632cad0a88

SHA1
7029feb7ff5ad315acf74fc331bb95209bdf3abc

SHA256
4828300290c1db807544af1b9afdeecd58ad89b213c779ea1c289b9ac3c39184

SHA512
b1ccaa6111662927247b7571688ccc6d5345946998c1d48cd6c7e1aec9d7909db50aaab86e03851c544feb7fadd826d3b2278fb7cc6274c24070fe8bccb6695c

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\nss3.dll

Filesize
32KB

MD5
523088cee10fb2ef255ac045ae63a6a2

SHA1
b3d8f4902142a8b8ebb6af281e46dfed917fab07

SHA256
9ddedc2235a57510bedeb891cd440cdae3505700e43e60385901e4be6b068c3c

SHA512
c3213ad068cd05b654478a786e5355e44110c4c61f0017f7ca3f417b03ac1d145e21965bd9475e677c108a6c3f7bc0ab9e5cfc56bf87eae7b2e7a556309e1b57

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\softokn3.dll

Filesize
251KB

MD5
4e52d739c324db8225bd9ab2695f262f

SHA1
71c3da43dc5a0d2a1941e874a6d015a071783889

SHA256
74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

SHA512
2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

Download Submit
C:\ProgramData\softokn3.dll

Filesize
251KB

MD5
4e52d739c324db8225bd9ab2695f262f

SHA1
71c3da43dc5a0d2a1941e874a6d015a071783889

SHA256
74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

SHA512
2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

Download Submit
C:\ProgramData\softokn3.dll

Filesize
251KB

MD5
4e52d739c324db8225bd9ab2695f262f

SHA1
71c3da43dc5a0d2a1941e874a6d015a071783889

SHA256
74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

SHA512
2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

Download Submit
C:\ProgramData\softokn3.dll

Filesize
251KB

MD5
4e52d739c324db8225bd9ab2695f262f

SHA1
71c3da43dc5a0d2a1941e874a6d015a071783889

SHA256
74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

SHA512
2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
1KB

MD5
965e643d41d2bc128e3bcd222b366534

SHA1
a580ba9f4551dcb826fd64df155e84441ab3d38f

SHA256
646fe5ec9d6610c10506e3010199e474439ff35d4ea3b978b8b0aa768f3c94b0

SHA512
410f71e75046b52ec5f22aa49660f75f75593b79c050c8ce8eed9e7e7d00b6938f2f784a1007be9618c8bb30b15fb1ee855845ef91303f2c69e7b09299fe3153

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\70C71DBB8B7D2BBCA12DF82826D851E0_278EAB15C57802B8465F5CA2986E9B30

Filesize
1KB

MD5
fc9db7199a674e2dfebc7e727d99a9d9

SHA1
fc5223fb3a5aac2efc351a2e88bd21da775e011c

SHA256
6ed39986a4c889fde041b1a1a765a9c9010afbbea45be0ae01b0e54008e7a8a1

SHA512
518b5b1b8438387dd48c98b141221b33fca64cf1407e007c04f395607c6eb59d3df203290015e40b87767dd4c9f66c50de5b94b8e841808cbecfc48dea085d4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
1KB

MD5
dc9cff177000842f2a6012e44187a7ac

SHA1
d21b0e775cc8da0aa8ff411a9fca7d824d9c9d9e

SHA256
42ec597f23785bd1abab286493d81952a9484684bca351c01e711cca2fae0d40

SHA512
7631b223d6af02e592630e758fa368bc1fd6895f9f0bbe611bffd9df73bcfb7c8c0b0b03f87c727809e24174c88b7b40648da45426dce33e36576b4490a6b652

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
450B

MD5
84ad265a5a7236bfb87d0a8e671c83c4

SHA1
a54e0b425cc8d60b2eca1963bd88d660133f46d1

SHA256
92baf47d711a7bd954a3c134db0b42e75d87615a05af86d1d1f1bf1e13868621

SHA512
ae924c1645bcb6fe79047e93fc55d7d9bacfdf7d823ff525f6e3d3a4a7cebca61c91c08eaf353fa9f2145e58d0dfde95f7709a4483857f4b8258ce4348d8305a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\70C71DBB8B7D2BBCA12DF82826D851E0_278EAB15C57802B8465F5CA2986E9B30

Filesize
474B

MD5
effd404cebcf0aebc81bbeec1acdf65d

SHA1
fbc23db980e55c0f4654cd9eb12f608709421f81

SHA256
0a0b21ca3e276d6ee77e48971269d6cdf13d0683c54dc0770ea386faa31b8f26

SHA512
cd29e12261e91ae50a5fe7f59be49ac06e141a65078c98a1392523a2c742ae61fb363c18bb99b0198cb0702fdd42ab14929967910a02d1af07696e1cf138838e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
458B

MD5
47a1b449d656a89e8ff4fc371752f68c

SHA1
823c27b7760b459d7d45cd2aca1ff5bb77e87dec

SHA256
64dcd6bdf5dc099c18bcb1409bb36082eb391c59406b642bbc4c6b393867ac17

SHA512
a08aa56c944b34134f230ee678b8b4aa8984c06831d3f279a60a56afd25a2c78ce07c98c2642a9a902e2d0b327245e4e5f282551cd0c85ca246741625609dd00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5a10efe23009825eadc90c37a38d9401

SHA1
fd98f2ca011408d4b43ed4dfd5b6906fbc7b87c0

SHA256
05e135dee0260b4f601a0486401b64ff8653875d74bf259c2da232550dbfb4f5

SHA512
89416a3f5bf50cd4a432ac72cd0a7fb79d5aeb10bdcc468c55bbfa79b9f43fab17141305d44cb1fe980ec76cc6575c27e2bcfcbad5ccd886d45b9de03fb9d6d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c1a3c45dc07f766430f7feaa3000fb18

SHA1
698a0485bcf0ab2a9283d4ebd31ade980b0661d1

SHA256
adaba08026551b1b8f6c120143686da79f916d02adbef4a8d1c184e32a19fd48

SHA512
9fc93f01ab4b14f555791d757ffe881787cc697102547c61847552e597e206e70c6d35fedff559c72a0a67d1b95e769095ecb0a8a7d4f07cf58a7a0d57d3e9f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
92c5011f86fffe9dcd4197e8c8b2457b

SHA1
d6f7f408858250a36d15a149b2560a4457b2094e

SHA256
71ae3a11c8b5dd88ba4a5f32f610eb4649768b5d32b0f65a0d6c121986e21fb4

SHA512
34fe7671f532c96f4ada5b4697565f9f8a238d50475237a43d4c7b80dbc84a31c6c64147d88f80096857001e367e81d6e3ba99c6077c5003e818b56580ef2e38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
43994dca5d4244ce97865863c41edef6

SHA1
eead135fbdae5855024e09292d3c2f5ec0a7237b

SHA256
b9bcb05e9950d3e2c028fd30797a47a20273542ef2a8a115b08942f0b0d9637a

SHA512
3c95c64c82ac25405823c8b4d1964ea10043961e1b05036baf04302246b0fce9019baa2f8d36903f0ca4bb98eb1e043b1865f91dc9e8260cf720afd9d1e9503a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
f48964b2cd63e0f849e74863fcb15ff4

SHA1
26e5b28b0c34ff6bef0d5cdb27cca972b11e9ec6

SHA256
79f4ede910eac8f72f74235ad16f9543003ce105157545482f09e13afb6f3639

SHA512
0221cd57c8401c92fc83c763c928271c1aa4dd975b671ef1f8c20f9f56ba4556f02f7ed9b8e8d3afa3f8e89328b7f24ca5cecf38df95ae1968e3cfd468626c6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
0943a346b1d7ddc2d177a3d400b6a785

SHA1
cb8c5692683fe23af9521d3e6745fe9f6b27d063

SHA256
d9ef262c34f1d45fe14d0e31d47ccb897bf96a0b91731a9f305613943af882d1

SHA512
e88d49dd5cdc70329344a8029582adeff6ef25d425638a7abfb0fd30a04a67af9e0ec39e5d5139599ec2216c430113481649c9922d464ea078c249458705e198

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
4eea9d3991a3eba0ffb38b65c5270606

SHA1
89110a1b1563ef40d09b474ba49df7fa9f9e02ad

SHA256
f1d60d5b29376e6fbab6b4cd5e9060632f8e07af6e43be7b298a8f202bd73276

SHA512
ff1a8488c8be147bab89fb36d876379552bf271be190e7874ced7ccca6debaafd6700dec0664577b4625ca41361c6f06324a54253993783466f21f5ec5ca97eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
3706b7d05784a6369c0eccaf8c337ce5

SHA1
d43223e4934146933ae546fbbb9b921b71328f1c

SHA256
8ddff46ead9fb6eed47897ba7e8257aa3fb526df5f2b8cdaa6fd9bcb6fe7719a

SHA512
20d5eaf70c0994a75b8567538e8bda9ab5123b8bccd794bd67452d74d7dd7a8a105be34c8c0d8443649cefb8dc3fc7e93cfba234364ad610bfe6b65667915483

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
3afcb6013fd0df27703bf894515a328f

SHA1
4544a431a36f62d793f3fc6b52ae819017e66c51

SHA256
24894c48a5ee76af25092ab61d8f3297daf118bc3a9554166b41e12d9fef42c9

SHA512
902caff7f88dcade23c6d15f86273083a461b6cf01525a4eaed8b21fe1da23cb4f015b1240f926a80549e9164b99127fad858a5df8f608570278ca0d8ab8a151

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5679a466acb2a6e7d7e88c5c214ddf88

SHA1
c2438d0c2a376b788a4c988e9f5cc4fa96246764

SHA256
ae39d271087f9b71cbb4b63428b1f7efd74b03b0164e872a1f31044daf9de4a0

SHA512
8246bdd4a9afa1a73bad35b9c212247ab089fad3a3d66d2e11243e2d5964b86fbf68264f550eb322294fd3b16f4e22703868a079362cd454dea139e120cffd5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
9e5f3526a9c8ffd5d48e2c44828b9123

SHA1
f0c81a905bb82d2d1710565f6bc374b1dbfa6b6c

SHA256
ac934aa6a130d9a17564997f74c603220b5eb6511bf55317e65a8da130c9424a

SHA512
070726fc38924ff36caf1ae6161a134dd00c2b20b104f4729d4a8ef9cd656d2a31f708f83cd65d0f6d3db6c20df75eeb78374460f79f898c24a67e0d973fc079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a0555fd994e514345cec11b0a04c52c8

SHA1
b25f83808429aeaac7f6bbe5762e870d1a6391bf

SHA256
2ef0bd9dcc57dee84b4607c8d61420ce73c4fa4985dfa00649b4578fe3ea59b3

SHA512
f0091e274111047245e9e07c5fe44c84ce06f91399d280a8ab8fcc114f01604c4fa337e3d5fc97809df17f5827e1e50a60595bc2ac68e3b0a1d4e3dd9e873fc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
24e06d883e7268e91f0b7a61357fe046

SHA1
437ef9103b6340d1f4ac93fd98e202b3f179c3ef

SHA256
c81305b27364cec81aa43f70a47629e10312a1baf773dbe1059697043489ed9e

SHA512
adb647c8ecbbeb91dd9ac66c1b26d62bc20ea5b460f90300557007e7ac202dfedb1bd9325135bccfa9e4b90af7e49e9b847098dbe73bbe3c4925f95e0c7a332a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f26074a6b2d9d0caad2c1659ff2d01d1

SHA1
c2b891a7025ac527bb4678f0e0debf7e6bfc3bec

SHA256
9d6b8ffee4d32d49eacd56b4e4d0b430287c3d6fd3e58cbd1294f823d0f1d235

SHA512
ab6b1b1b3d189ff3cf3c5479eb87e88e4e52b7eb4cecbdd757fa1c715029c44add6b16652eac946151e2fdf9e4d193893a4753fa70393ae54a5f7f70b7e48628

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
5edab6d3ffbeee247ccb4423f929a323

SHA1
a4ad201d149d59392a2a3163bd86ee900e20f3d9

SHA256
460cddb95ea1d9bc8d95d295dd051b49a1436437a91ddec5f131235b2d516933

SHA512
263fa99f03ea1ef381ca19f10fbe0362c1f9c129502dc6b730b076cafcf34b40a70ee8a0ee9446ec9c89c3a2d9855450609ec0f8cf9d0a1b2aebdd12be58d38c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
784a51387993e9aeb34d4ad4ed93ab48

SHA1
1cbf9ea1b6c2ea18c8670f26ebf9c11d7d245bc4

SHA256
567af49b26f4676e8c8ad07b34db13ae7a9e19ba01e6bd1af390a611b44413f8

SHA512
ba34c55cea5840723b16f09f0a790f823a5a65657f8163018cbfcbc3a13c83b1b4b6a1f8ca0fe188c1ba7d78cc9319889235c0f6042a2013755fc6d820e4b9e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
704B

MD5
6c572f192f23dea6891dda4002055261

SHA1
51aed59c606a2f9c9006b923233a33e9be6c509c

SHA256
d65e5574075aaca94ddbc3c04d912282d5cd83418f7ac2bdfca5f799063bb6a4

SHA512
8c8084f5da379b0c7e03ab539443879be6b826972bec5e66e3006f4a55df640bdcd73693407265a618a3aa3f895513a528ac8f4286f377b1dd72782239b5c2f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
702B

MD5
5f148f964ad32f3e0c4eabc2a798521d

SHA1
41d1cae108c2ef2a93f67cc60b5ac83fcca9746e

SHA256
2fe33ac56614f1bfceb0c5814495d7caf9c30f39e5e05c98a939a8aca4b6334e

SHA512
2ba2a1e07e07a4b0d15932f3986a281bbb9cf42768de1a7caab69e41695e2c573a80e06901c9eaa27ec3886d2cff17a223dc416a3236c98bafd206a44f523586

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
867B

MD5
1c0959c9ec284d50997c4325ab06689f

SHA1
f3898087d7115a0ea406958adc4e02061cf0a9a8

SHA256
eea69e926909deb560bbe8d054898ee74d484cc245541287d0099103a143b3cc

SHA512
0083ea4d420eba62333c7c29397188a3f02d85aaad86c2f8a2b663f9dae3d49508e6eff757a4fadf09a6edc99bc10ee26aa73267ad6b6872da6feb6ce96e7685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
869B

MD5
6df72653d50b7f72c0711ed9d1529a15

SHA1
fa375154bfecca98d253d7ecdaa8767015e095c2

SHA256
9a653ddb93d58104f7e970a9c90eab1340651228b26a6a39989b02d1cb6a4dd9

SHA512
d46de631733c3ff662e0f552d41cd15d6a09dd2cbea91a71a2a8883e89d7613aa1a79cc763fccc47a8aa4da7b1efe1960e6dd1fe9cd0331ca0312887db66ed5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
867B

MD5
9ae4f816c58aab4be6462d8e0c18cbaf

SHA1
92a2c704d51ba98f104d86749a6e6c3bfc3bf3bf

SHA256
de2cacbc1653caa4310e6d25bde5524aa7c29fa870688ab16e173f0e967ed233

SHA512
1ce539396b87741a64475fad663c963af983e9ab895de8db515e8516bbd3debd4d5cbf1b03b1753b4cb3fcc3e2ad94e248c4143a0017e5cd6784ea0d78c94ef2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
869B

MD5
c3c5f3c1d9ebab61092334b3189e1c9f

SHA1
37e06d304a981c00d80a332b2409449b77cedb2b

SHA256
599a283a3f61452331e394d4ea9ddd4f7a46a7fc86c9d8bc5dbd02bc107fed93

SHA512
95ab657edc78f68a5b840cd3c1b7782402e13d4feb037d07cdd604a0451e5b3c8b00b13b0b4d4cd0a3cdb69c6673e10d3da004709aad3e85951bbc187f5d5702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
704B

MD5
72884d465068f4d7123f28517aaa776e

SHA1
fceb3242349a138626630b1155c726a4ae89bd37

SHA256
7d0f7fdd2f0cfd223edbaa411783764811509f1be314865cdb97a8458d5f694a

SHA512
16925ebacca5e97d1bd112ace53c127b58761c7b9d8bfc90c4e37cc326dc3cd38e94f1dfea01827844579f7626c8e356fbd7446fdb0d7f479fa2bef0809d76f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
869B

MD5
62ba27404bee7008a7fd2111d20e5c0c

SHA1
3a2cb765b02c4abf469c4ad39b5215ab45c1906e

SHA256
f3c67d3b341b23278880639eab0926d965ba9df2258f3d567e7b124f4602a0e8

SHA512
585baca870fe2c97ae6908e84124a12fbfcaee9b7e0da38afaaa10122f1295c38b146269ed6d538b5a987abbac878fc05534421d8796fa1b0cc192a03348c722

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
869B

MD5
46db6ddbb3f7ca0b0497492095f5b432

SHA1
43ab9516e48ce713c8c6c7ff242c65e74524dcad

SHA256
6bb5465e637fe40d16ac8e586fb4bfe0fe4a7f5e344482c019b5ffefb64efbdf

SHA512
79f0cefa2b3237e8e06951f35a5f0b7ee4f6b9aacca95f2de45ba06323c3818af6eb86cc745c50c24c13c0c5c2ebea5dccbd25d7b64010fe3764628dbdf69bb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
869B

MD5
0fdbd2526ffe9b4d1da4b60981fc43f4

SHA1
4c7ace7c3003073ae15861622318392a7c9103ef

SHA256
ef3fa8081563f6b8523abf2a4c9eac01c07afc0421ce10da402e2001da583d55

SHA512
312df9e7b8509d931408f0e466bb7a7c0e7055476fbb4a7d2a0ef84856a77ad7d60534415b17aa2a58475b84b19b9d077a17e889743fa6c6cc1df09c1830666c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe56f33e.TMP

Filesize
704B

MD5
34e718026fc80de6ac0022690b92f4da

SHA1
95316873364524e733316d6287ad8e903fa5f63b

SHA256
a48e8a895576372a3e2bd98f4d7c754bcafc3a6bc3add52283356b3674f7c817

SHA512
80f398ce3425e73de3f8cf9b8ba84e4ae3509339d0578665abfc813aea632c2a02b7ea4a17268f7e3cd4b8ff1d88808f99ee094f7fcf9cd1bd9bc79ae737d7df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e289f1c8-65cc-4ccd-a07b-86ee3406a0dd.tmp

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
13KB

MD5
5fa557e56f8bbe5b8711603c4b03e087

SHA1
c145a8f9a32059c3d1b77cdf42b2ac1a38eeb620

SHA256
fe879a8ab821aed435e98b82ee40a3e9baea79561dde55bd6f88f792ba4359ac

SHA512
cb9f339521e4fd62c5a0bae2a2f015affa3e40e00fb59f851adf04615669227dbdea856b4cf84cce417858cafcd276912311894feaa45c6ac75eb01ba6249c0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
fb9349ce29627a4e469fdd777049de8c

SHA1
637712e7fdf1f385a8340b3dd4dbd8bd0cdfb47a

SHA256
dfa6894d65b74acfaa1e9a580f4ff525151a16416425621aa0c798d239f725d7

SHA512
a0f0fbb7b4a6a123880b95efd50f90e33c5ca95f2650c7efc6149851d78cbe3612b326bbeffd0c61038e74031931c0f125d09ab9f5f3c3428b3fdb440247900b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
a841fa88f1be4a011d3b0634bea06e2d

SHA1
5a19e3d246bfc45581e88c2828263d516bc8eb8b

SHA256
3b2653b0e52eaed9e46dcb09ff1da522af9f1781ce34b3c6696bb6b52d6b8688

SHA512
48497bc2b13bc9772817068380ac04d567358b9beb1e4f28dcbe4c9905ea98a357aef04908d06b735f28bdab1b1236ee1a90692d08d897cb753c9829ba70c3fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
13KB

MD5
5fa557e56f8bbe5b8711603c4b03e087

SHA1
c145a8f9a32059c3d1b77cdf42b2ac1a38eeb620

SHA256
fe879a8ab821aed435e98b82ee40a3e9baea79561dde55bd6f88f792ba4359ac

SHA512
cb9f339521e4fd62c5a0bae2a2f015affa3e40e00fb59f851adf04615669227dbdea856b4cf84cce417858cafcd276912311894feaa45c6ac75eb01ba6249c0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
6a1d732af6eb2d5e39917fb6d0d3cd40

SHA1
2981e90b27d16f79c07433cd177d5f77b0f26b42

SHA256
fb7e11ee05163c7dbcc973b194c6789afe2d8949c693b2e5b5ae71eb615fd563

SHA512
01750f3b62298f335786bcaddbd127c79c91cde0c2b2200dea8299e0a6ec45287b4cec597dfb556bde0d9ee7ac1227aeb26f05b7ca4859e6633aa202128dfca8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_in1smjuw.3ff.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
bdad0444470041500b7e00b4902eec43

SHA1
0d5581819c4d165cb840dc7e285bfde8326b1492

SHA256
a3121eb004e5a3194cf070730d0c6935837b656027698655e4d87bb372483d00

SHA512
510445d914a550f88faaea310fcc0ac2f43b3b96f39a77371bc21f40e9c52d8c41e34395ef1a6bd9c9063cdbf30aacacb3fcaa61d8d519316fea95ed3e486dbe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
5KB

MD5
ceefc82e46dca1a350c6dfec5b6b9e0e

SHA1
4d143233776b87ce45a3b0ca5d67a58e3fc9121e

SHA256
9586f619a44d21e8abd9943e70608b95632001d5f91a2c26680c6c47c0e989c1

SHA512
4cd95f647da106f94e71a71fc0c1f4cdd4abfed2939191990865a3dcac4a050c61cbb8df8d16e4b3d1b3e1c089f53b0ed5709690024742f6d7ae5c53fbd8bc66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
25d79645beba3b51beccaf55d7cdf996

SHA1
7428e789c79d72519cb701e9434c6179ed3bb6c6

SHA256
5822c38c3579b29102dfc53147c5fdbb67d84ae7a304fe1c90918df0c5cde530

SHA512
5c9f9435d77b2e17b5be7973c3ce9cd66d2e20986ca08a6d555120e4585e7cb244386c0e759de0816a31ed3c8e958d918545d5d39618f01dc828b5db3b9d91da

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
705.7MB

MD5
b4e82b3d8e18cd0018c0346af60dff68

SHA1
dba8eb840f76746670609bbd248108969dab0dbc

SHA256
70264076d6491dd2010dac2534381f964dab1d86d683167077cf3e851f92b465

SHA512
f27de2ad15a81426c5a2abc1df5748dafe97c6e66cb2184f4fc5b1282bc9d58dc466e586b644f123cbb97ab1afb0f96dc1dba9fa3eed18a6db7d31e3c1323084

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
705.7MB

MD5
b4e82b3d8e18cd0018c0346af60dff68

SHA1
dba8eb840f76746670609bbd248108969dab0dbc

SHA256
70264076d6491dd2010dac2534381f964dab1d86d683167077cf3e851f92b465

SHA512
f27de2ad15a81426c5a2abc1df5748dafe97c6e66cb2184f4fc5b1282bc9d58dc466e586b644f123cbb97ab1afb0f96dc1dba9fa3eed18a6db7d31e3c1323084

Download Submit
C:\Users\Admin\Desktop\ConfirmSend.bat

Filesize
50B

MD5
f56349a1996d53f3139d1697b5643bbb

SHA1
d9b7848a38c9abcef419be36546248456a2ff795

SHA256
9027db11cd0df64fc771c84cedc0893b2428a4b27d6ef4292a79c2796b489268

SHA512
0e020ad4e68488be942ff64e42138ada07c043d5f6eb61d8e8aecdf99409dcc956ce50d778c1adb8bccf59e08c7c3fd53a729c7bbab1a9a87397d808b369e789

Download Submit
C:\Users\Admin\Desktop\ConfirmSend.ps1

Filesize
25B

MD5
38e335e207c7903b4ba44b023901d59e

SHA1
24592caf2a85612d2cb6f6c8fd8158949c10c436

SHA256
420c83cabccb9b8b3576d267a6a1809916e0443a8ef265900fe5620d062d0d92

SHA512
6d8c9eea2c92b947631ed3f77fc7e99fd00c07a52fba07d02fe3041dc0981f1e1abf9cb18eb5f9c17f82e47375ff786906b0687bf58f779776e5ee81e6e9d802

Download Submit
C:\Users\Admin\Desktop\ConfirmSend.ps1

Filesize
25B

MD5
38e335e207c7903b4ba44b023901d59e

SHA1
24592caf2a85612d2cb6f6c8fd8158949c10c436

SHA256
420c83cabccb9b8b3576d267a6a1809916e0443a8ef265900fe5620d062d0d92

SHA512
6d8c9eea2c92b947631ed3f77fc7e99fd00c07a52fba07d02fe3041dc0981f1e1abf9cb18eb5f9c17f82e47375ff786906b0687bf58f779776e5ee81e6e9d802

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 426349.crdownload

Filesize
7.9MB

MD5
a0638548ba0b039ef86cab79b7d6a925

SHA1
e6b84bc5eaf1e7a505e2bd34536e3cd491422a15

SHA256
a063e4a346ef47f4c739515e005fe1bb2d3f887e093408775f0479c29c5bfbea

SHA512
e863f8b4a20e5cb7f91d33b41ca1356e2fcf3bca50b252a23902a208284b5c5c05e65b7f1977220766ae7440944f908b156f58edf4b6354ebffcb192fbee17e5

Download Submit
memory/380-1471-0x0000000000540000-0x0000000000D8C000-memory.dmp

Filesize
8.3MB

Download
memory/380-1459-0x0000000000540000-0x0000000000D8C000-memory.dmp

Filesize
8.3MB

Download
memory/540-1784-0x0000000000850000-0x000000000109C000-memory.dmp

Filesize
8.3MB

Download
memory/540-1777-0x0000000000850000-0x000000000109C000-memory.dmp

Filesize
8.3MB

Download
memory/772-1538-0x0000000000700000-0x0000000000F4C000-memory.dmp

Filesize
8.3MB

Download
memory/772-1550-0x0000000000700000-0x0000000000F4C000-memory.dmp

Filesize
8.3MB

Download
memory/1272-1313-0x0000000000140000-0x000000000098C000-memory.dmp

Filesize
8.3MB

Download
memory/1272-1306-0x0000000000140000-0x000000000098C000-memory.dmp

Filesize
8.3MB

Download
memory/1404-1695-0x0000000000A00000-0x000000000124C000-memory.dmp

Filesize
8.3MB

Download
memory/1404-1707-0x0000000000A00000-0x000000000124C000-memory.dmp

Filesize
8.3MB

Download
memory/2084-892-0x00000000005F0000-0x0000000000E3C000-memory.dmp

Filesize
8.3MB

Download
memory/2084-878-0x00000000005F0000-0x0000000000E3C000-memory.dmp

Filesize
8.3MB

Download
memory/2084-917-0x00000000005F0000-0x0000000000E3C000-memory.dmp

Filesize
8.3MB

Download
memory/2084-921-0x00000000005F0000-0x0000000000E3C000-memory.dmp

Filesize
8.3MB

Download
memory/2084-913-0x00000000005F0000-0x0000000000E3C000-memory.dmp

Filesize
8.3MB

Download
memory/2084-908-0x00000000005F0000-0x0000000000E3C000-memory.dmp

Filesize
8.3MB

Download
memory/2084-877-0x00000000005F0000-0x0000000000E3C000-memory.dmp

Filesize
8.3MB

Download
memory/2084-914-0x00000000005F0000-0x0000000000E3C000-memory.dmp

Filesize
8.3MB

Download
memory/2084-879-0x00000000005F0000-0x0000000000E3C000-memory.dmp

Filesize
8.3MB

Download
memory/2084-895-0x00000000005F0000-0x0000000000E3C000-memory.dmp

Filesize
8.3MB

Download
memory/2084-890-0x00000000005F0000-0x0000000000E3C000-memory.dmp

Filesize
8.3MB

Download
memory/2084-880-0x00000000005F0000-0x0000000000E3C000-memory.dmp

Filesize
8.3MB

Download
memory/2084-881-0x00000000005F0000-0x0000000000E3C000-memory.dmp

Filesize
8.3MB

Download
memory/2084-889-0x00000000005F0000-0x0000000000E3C000-memory.dmp

Filesize
8.3MB

Download
memory/2084-887-0x00000000005F0000-0x0000000000E3C000-memory.dmp

Filesize
8.3MB

Download
memory/2084-886-0x00000000005F0000-0x0000000000E3C000-memory.dmp

Filesize
8.3MB

Download
memory/2084-885-0x00000000005F0000-0x0000000000E3C000-memory.dmp

Filesize
8.3MB

Download
memory/2084-883-0x00000000005F0000-0x0000000000E3C000-memory.dmp

Filesize
8.3MB

Download
memory/2084-882-0x00000000005F0000-0x0000000000E3C000-memory.dmp

Filesize
8.3MB

Download
memory/2572-1389-0x0000000000340000-0x0000000000B8C000-memory.dmp

Filesize
8.3MB

Download
memory/2572-1381-0x0000000000340000-0x0000000000B8C000-memory.dmp

Filesize
8.3MB

Download
memory/2600-2021-0x0000000000E20000-0x000000000166C000-memory.dmp

Filesize
8.3MB

Download
memory/2600-2012-0x0000000000E20000-0x000000000166C000-memory.dmp

Filesize
8.3MB

Download
memory/2744-1152-0x0000000000E20000-0x000000000166C000-memory.dmp

Filesize
8.3MB

Download
memory/2744-1140-0x0000000000E20000-0x000000000166C000-memory.dmp

Filesize
8.3MB

Download
memory/2780-945-0x000001D158F70000-0x000001D158F80000-memory.dmp

Filesize
64KB

Download
memory/2780-944-0x000001D158F70000-0x000001D158F80000-memory.dmp

Filesize
64KB

Download
memory/3628-133-0x000001B033EB0000-0x000001B033ED2000-memory.dmp

Filesize
136KB

Download
memory/3628-144-0x000001B033EA0000-0x000001B033EB0000-memory.dmp

Filesize
64KB

Download
memory/3628-145-0x000001B033EA0000-0x000001B033EB0000-memory.dmp

Filesize
64KB

Download
memory/3628-143-0x000001B033EA0000-0x000001B033EB0000-memory.dmp

Filesize
64KB

Download
memory/4008-1942-0x00000000004E0000-0x0000000000D2C000-memory.dmp

Filesize
8.3MB

Download
memory/4008-1862-0x00000000004E0000-0x0000000000D2C000-memory.dmp

Filesize
8.3MB

Download
memory/4220-853-0x0000000000A90000-0x00000000012DC000-memory.dmp

Filesize
8.3MB

Download
memory/4220-871-0x0000000000A90000-0x00000000012DC000-memory.dmp

Filesize
8.3MB

Download
memory/4220-869-0x0000000000A90000-0x00000000012DC000-memory.dmp

Filesize
8.3MB

Download
memory/4220-858-0x0000000000A90000-0x00000000012DC000-memory.dmp

Filesize
8.3MB

Download
memory/4220-857-0x0000000000A90000-0x00000000012DC000-memory.dmp

Filesize
8.3MB

Download
memory/4220-856-0x0000000000A90000-0x00000000012DC000-memory.dmp

Filesize
8.3MB

Download
memory/4220-852-0x0000000000A90000-0x00000000012DC000-memory.dmp

Filesize
8.3MB

Download
memory/4220-875-0x0000000000A90000-0x00000000012DC000-memory.dmp

Filesize
8.3MB

Download
memory/4220-855-0x0000000000A90000-0x00000000012DC000-memory.dmp

Filesize
8.3MB

Download
memory/4220-851-0x0000000000A90000-0x00000000012DC000-memory.dmp

Filesize
8.3MB

Download
memory/4220-854-0x0000000000A90000-0x00000000012DC000-memory.dmp

Filesize
8.3MB

Download
memory/4348-1939-0x0000000000B60000-0x00000000013AC000-memory.dmp

Filesize
8.3MB

Download
memory/4348-1941-0x0000000000B60000-0x00000000013AC000-memory.dmp

Filesize
8.3MB

Download
memory/4368-1233-0x0000000000690000-0x0000000000EDC000-memory.dmp

Filesize
8.3MB

Download
memory/4368-1234-0x0000000000690000-0x0000000000EDC000-memory.dmp

Filesize
8.3MB

Download
memory/4568-827-0x000002CA57690000-0x000002CA576A0000-memory.dmp

Filesize
64KB

Download
memory/4568-832-0x000002CA57690000-0x000002CA576A0000-memory.dmp

Filesize
64KB

Download
memory/4568-836-0x000002CA57690000-0x000002CA576A0000-memory.dmp

Filesize
64KB

Download
memory/4644-1625-0x0000000000AA0000-0x00000000012EC000-memory.dmp

Filesize
8.3MB

Download
memory/4644-1708-0x0000000000AA0000-0x00000000012EC000-memory.dmp

Filesize
8.3MB

Download
memory/4688-1050-0x0000000000920000-0x000000000116C000-memory.dmp

Filesize
8.3MB

Download
memory/4688-1059-0x0000000000920000-0x000000000116C000-memory.dmp

Filesize
8.3MB

Download
memory/5040-716-0x000001A07E8E0000-0x000001A07E8F0000-memory.dmp

Filesize
64KB

Download
memory/5040-698-0x000001A07DEC0000-0x000001A07DEC8000-memory.dmp

Filesize
32KB

Download
memory/5040-715-0x000001A0195D0000-0x000001A01966A000-memory.dmp

Filesize
616KB

Download
memory/5040-688-0x000001A07C2F0000-0x000001A07C328000-memory.dmp

Filesize
224KB

Download
memory/5040-714-0x000001A07E8E0000-0x000001A07E8F0000-memory.dmp

Filesize
64KB

Download
memory/5040-743-0x000001A07E8E0000-0x000001A07E8F0000-memory.dmp

Filesize
64KB

Download
memory/5040-725-0x000001A07EA20000-0x000001A07EA3E000-memory.dmp

Filesize
120KB

Download
memory/5040-724-0x000001A07E8E0000-0x000001A07E8F0000-memory.dmp

Filesize
64KB

Download
memory/5040-723-0x000001A07F020000-0x000001A07F096000-memory.dmp

Filesize
472KB

Download
memory/5040-720-0x000001A07E8E0000-0x000001A07E8F0000-memory.dmp

Filesize
64KB

Download
memory/5040-719-0x000001A07E8E0000-0x000001A07E8F0000-memory.dmp

Filesize
64KB

Download
memory/5040-712-0x000001A07E8E0000-0x000001A07E8F0000-memory.dmp

Filesize
64KB

Download
memory/5040-717-0x000001A07E8E0000-0x000001A07E8F0000-memory.dmp

Filesize
64KB

Download
memory/5040-946-0x000001A0195D0000-0x000001A01966A000-memory.dmp

Filesize
616KB

Download
memory/5040-906-0x000001A07EA80000-0x000001A07EA92000-memory.dmp

Filesize
72KB

Download
memory/5040-689-0x000001A07E810000-0x000001A07E85A000-memory.dmp

Filesize
296KB

Download
memory/5040-718-0x000001A07E8E0000-0x000001A07E8F0000-memory.dmp

Filesize
64KB

Download
memory/5040-713-0x000001A07EA50000-0x000001A07EA76000-memory.dmp

Filesize
152KB

Download
memory/5040-711-0x000001A07E7D0000-0x000001A07E7D8000-memory.dmp

Filesize
32KB

Download
memory/5040-710-0x000001A07E7C0000-0x000001A07E7C8000-memory.dmp

Filesize
32KB

Download
memory/5040-709-0x000001A07DED0000-0x000001A07DED8000-memory.dmp

Filesize
32KB

Download
memory/5040-708-0x000001A07E8E0000-0x000001A07E8F0000-memory.dmp

Filesize
64KB

Download
memory/5040-907-0x000001A07EFA0000-0x000001A07EFDC000-memory.dmp

Filesize
240KB

Download
memory/5040-693-0x000001A07E860000-0x000001A07E898000-memory.dmp

Filesize
224KB

Download
memory/5040-692-0x000001A07DEB0000-0x000001A07DEBE000-memory.dmp

Filesize
56KB

Download
memory/5040-691-0x000001A07E8E0000-0x000001A07E8F0000-memory.dmp

Filesize
64KB

Download
memory/5040-690-0x000001A07E8E0000-0x000001A07E8F0000-memory.dmp

Filesize
64KB

Download
memory/5072-746-0x00000000004A0000-0x0000000000BF1000-memory.dmp

Filesize
7.3MB

Download
memory/5072-758-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download