laplas | hxxps://www[.]dropbox[.]com/s/zj7cz5633tszjk3/Zafiro%20EA%20MFF%20v1[.]13%20%2B%20Zafiro%20EA%20FTMO%20v1[.]13[.]zip?dl=0

max time kernel
160s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08/06/2023, 11:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.dropbox.com/s/zj7cz5633tszjk3/Zafiro%20EA%20MFF%20v1.13%20%2B%20Zafiro%20EA%20FTMO%20v1.13.zip?dl=0

Score

10^/10

laplas vidar 2ca19830ec2c67b5159166c89d3ebb74 clipper evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

vidar

Version

4.2

Botnet

2ca19830ec2c67b5159166c89d3ebb74

https://steamcommunity.com/profiles/76561199511129510

https://t.me/rechnungsbetrag

Attributes

profile_id_v2
2ca19830ec2c67b5159166c89d3ebb74
user_agent
Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.38 Safari/537.36 Brave/75

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	25353558628460076546.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ntlhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	20664329427801299664.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	20664329427801299664.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	20664329427801299664.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	25353558628460076546.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	25353558628460076546.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ntlhost.exe

Executes dropped EXE 3 IoCs

pid	Process
5432	25353558628460076546.exe
3768	ntlhost.exe
2196	20664329427801299664.exe

Loads dropped DLL 6 IoCs

pid	Process
2276	Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
2276	Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
5792	Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
5792	Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
3772	Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
3772	Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	25353558628460076546.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	25353558628460076546.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	20664329427801299664.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
5432	25353558628460076546.exe
3768	ntlhost.exe
2196	20664329427801299664.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\e89b808a-0727-44cc-a120-e7a85e8645df.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230608114627.pma	setup.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2492	4168	WerFault.exe	126
5596	60	WerFault.exe	146
6072	5900	WerFault.exe	156

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	143	Go-http-client/1.1

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1529757233-3489015626-3409890339-1000\{16B0C7B2-98A2-4F80-8C5D-5B11F91AA508}	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
3804	powershell.exe
3804	powershell.exe
4808	msedge.exe
4808	msedge.exe
2888	msedge.exe
2888	msedge.exe
4772	msedge.exe
4772	msedge.exe
3940	msedge.exe
1996	identity_helper.exe
1996	identity_helper.exe
5648	msedge.exe
5648	msedge.exe
2276	Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
2276	Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
5792	Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
5792	Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3804	powershell.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe
2888	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 3252	2888	msedge.exe	88
PID 2888 wrote to memory of 3252	2888	msedge.exe	88
PID 2888 wrote to memory of 4896	2888	msedge.exe	89
PID 2888 wrote to memory of 4896	2888	msedge.exe	89
PID 2888 wrote to memory of 4896	2888	msedge.exe	89
PID 2888 wrote to memory of 4896	2888	msedge.exe	89
PID 2888 wrote to memory of 4896	2888	msedge.exe	89
PID 2888 wrote to memory of 4896	2888	msedge.exe	89
PID 2888 wrote to memory of 4896	2888	msedge.exe	89
PID 2888 wrote to memory of 4896	2888	msedge.exe	89
PID 2888 wrote to memory of 4896	2888	msedge.exe	89
PID 2888 wrote to memory of 4896	2888	msedge.exe	89
PID 2888 wrote to memory of 4896	2888	msedge.exe	89
PID 2888 wrote to memory of 4896	2888	msedge.exe	89
PID 2888 wrote to memory of 4896	2888	msedge.exe	89
PID 2888 wrote to memory of 4896	2888	msedge.exe	89
PID 2888 wrote to memory of 4896	2888	msedge.exe	89
PID 2888 wrote to memory of 4896	2888	msedge.exe	89
PID 2888 wrote to memory of 4896	2888	msedge.exe	89
PID 2888 wrote to memory of 4896	2888	msedge.exe	89
PID 2888 wrote to memory of 4896	2888	msedge.exe	89
PID 2888 wrote to memory of 4896	2888	msedge.exe	89
PID 2888 wrote to memory of 4896	2888	msedge.exe	89
PID 2888 wrote to memory of 4896	2888	msedge.exe	89
PID 2888 wrote to memory of 4896	2888	msedge.exe	89
PID 2888 wrote to memory of 4896	2888	msedge.exe	89
PID 2888 wrote to memory of 4896	2888	msedge.exe	89
PID 2888 wrote to memory of 4896	2888	msedge.exe	89
PID 2888 wrote to memory of 4896	2888	msedge.exe	89
PID 2888 wrote to memory of 4896	2888	msedge.exe	89
PID 2888 wrote to memory of 4896	2888	msedge.exe	89
PID 2888 wrote to memory of 4896	2888	msedge.exe	89
PID 2888 wrote to memory of 4896	2888	msedge.exe	89
PID 2888 wrote to memory of 4896	2888	msedge.exe	89
PID 2888 wrote to memory of 4896	2888	msedge.exe	89
PID 2888 wrote to memory of 4896	2888	msedge.exe	89
PID 2888 wrote to memory of 4896	2888	msedge.exe	89
PID 2888 wrote to memory of 4896	2888	msedge.exe	89
PID 2888 wrote to memory of 4896	2888	msedge.exe	89
PID 2888 wrote to memory of 4896	2888	msedge.exe	89
PID 2888 wrote to memory of 4896	2888	msedge.exe	89
PID 2888 wrote to memory of 4896	2888	msedge.exe	89
PID 2888 wrote to memory of 4808	2888	msedge.exe	90
PID 2888 wrote to memory of 4808	2888	msedge.exe	90
PID 2888 wrote to memory of 560	2888	msedge.exe	92
PID 2888 wrote to memory of 560	2888	msedge.exe	92
PID 2888 wrote to memory of 560	2888	msedge.exe	92
PID 2888 wrote to memory of 560	2888	msedge.exe	92
PID 2888 wrote to memory of 560	2888	msedge.exe	92
PID 2888 wrote to memory of 560	2888	msedge.exe	92
PID 2888 wrote to memory of 560	2888	msedge.exe	92
PID 2888 wrote to memory of 560	2888	msedge.exe	92
PID 2888 wrote to memory of 560	2888	msedge.exe	92
PID 2888 wrote to memory of 560	2888	msedge.exe	92
PID 2888 wrote to memory of 560	2888	msedge.exe	92
PID 2888 wrote to memory of 560	2888	msedge.exe	92
PID 2888 wrote to memory of 560	2888	msedge.exe	92
PID 2888 wrote to memory of 560	2888	msedge.exe	92
PID 2888 wrote to memory of 560	2888	msedge.exe	92
PID 2888 wrote to memory of 560	2888	msedge.exe	92
PID 2888 wrote to memory of 560	2888	msedge.exe	92
PID 2888 wrote to memory of 560	2888	msedge.exe	92
PID 2888 wrote to memory of 560	2888	msedge.exe	92
PID 2888 wrote to memory of 560	2888	msedge.exe	92

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start shell:Appsfolder\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge https://www.dropbox.com/s/zj7cz5633tszjk3/Zafiro%20EA%20MFF%20v1.13%20%2B%20Zafiro%20EA%20FTMO%20v1.13.zip?dl=0
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-redirect=Windows.Launch https://www.dropbox.com/s/zj7cz5633tszjk3/Zafiro%20EA%20MFF%20v1.13%20%2B%20Zafiro%20EA%20FTMO%20v1.13.zip?dl=0
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffb897646f8,0x7ffb89764708,0x7ffb89764718
  2⤵
  PID:3252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,16504446909508719960,6843892128964990479,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,16504446909508719960,6843892128964990479,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,16504446909508719960,6843892128964990479,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
  2⤵
  PID:560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16504446909508719960,6843892128964990479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16504446909508719960,6843892128964990479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2096,16504446909508719960,6843892128964990479,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5292 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2096,16504446909508719960,6843892128964990479,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5304 /prefetch:8
  2⤵
  PID:3240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=2096,16504446909508719960,6843892128964990479,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=4964 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16504446909508719960,6843892128964990479,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
  2⤵
  PID:3496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16504446909508719960,6843892128964990479,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6516 /prefetch:1
  2⤵
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,16504446909508719960,6843892128964990479,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6764 /prefetch:8
  2⤵
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:2152
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7951f5460,0x7ff7951f5470,0x7ff7951f5480
    3⤵
    PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,16504446909508719960,6843892128964990479,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6764 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16504446909508719960,6843892128964990479,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
  2⤵
  PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16504446909508719960,6843892128964990479,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16504446909508719960,6843892128964990479,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
  2⤵
  PID:5340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16504446909508719960,6843892128964990479,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6776 /prefetch:1
  2⤵
  PID:5332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,16504446909508719960,6843892128964990479,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7056 /prefetch:8
  2⤵
  PID:5504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16504446909508719960,6843892128964990479,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7052 /prefetch:1
  2⤵
  PID:5496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,16504446909508719960,6843892128964990479,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6024 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16504446909508719960,6843892128964990479,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
  2⤵
  PID:5984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2824

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6120

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:4168
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 656
  2⤵
  - Program crash
  PID:2492

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:4180

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:2416

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:2188

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:1384

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:5504

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:5140

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
- Loads dropped DLL
PID:3772
- C:\ProgramData\88950757637236479474.exe
  "C:\ProgramData\88950757637236479474.exe"
  2⤵
  PID:6040

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:5468

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:1784

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4168 -ip 4168
1⤵
PID:4824

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:5568

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:1624

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:2540

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:4752

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:3552

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:60
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 1604
  2⤵
  - Program crash
  PID:5596

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2276
- C:\ProgramData\25353558628460076546.exe
  "C:\ProgramData\25353558628460076546.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:5432
- - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 60 -ip 60
1⤵
PID:5576

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:5756

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5792
- C:\ProgramData\20664329427801299664.exe
  "C:\ProgramData\20664329427801299664.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2196

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:5776

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:5460

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:5900
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5900 -s 1604
  2⤵
  - Program crash
  PID:6072

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5900 -ip 5900
1⤵
PID:5972

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:3612

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:2996

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:944

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:536

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:4824

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:5540

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:636

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:3760

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:3380

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:5264

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:208

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:5992

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:444

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:2604

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:3900

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:6012

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:216

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:60

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:6004

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:5420

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:4408

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:2820

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:1780

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:4360

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:5268

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:5732

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:5808

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:2160

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:2276

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:6060

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:3356

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:3644

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:1408

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:4372

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:2000

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:3648

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:1448

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:2392

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:1860

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:1904

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:5820

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:5444

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:4676

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:3436

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:780

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:708

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:2860

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:3812

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:2880

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:5340

C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe
"C:\Users\Admin\Desktop\Zafiro EA MFF v1.13 + Zafiro EA FTMO v1.13.exe"
1⤵
PID:4184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\20664329427801299664.exe

Filesize
3.7MB

MD5
ccf4763882256111f713d881ad7d9aa9

SHA1
507297f20fd3fbda9a8cd426bbcffdeb8e4e8ab1

SHA256
59d9b80d021e8dc40f387d759ce6f77c56330a07352c0238f1768116cf80ebf7

SHA512
53d20ba5739d1205be1b16966d981881ea8c9b0b8c9880b1e407f354e025b6ccae61e653b78d6a9e3d9c5023ff09143b365545c411809b645ac24f8620580416

Download Submit
C:\ProgramData\20664329427801299664.exe

Filesize
3.7MB

MD5
ccf4763882256111f713d881ad7d9aa9

SHA1
507297f20fd3fbda9a8cd426bbcffdeb8e4e8ab1

SHA256
59d9b80d021e8dc40f387d759ce6f77c56330a07352c0238f1768116cf80ebf7

SHA512
53d20ba5739d1205be1b16966d981881ea8c9b0b8c9880b1e407f354e025b6ccae61e653b78d6a9e3d9c5023ff09143b365545c411809b645ac24f8620580416

Download Submit
C:\ProgramData\25353558628460076546.exe

Filesize
3.7MB

MD5
ccf4763882256111f713d881ad7d9aa9

SHA1
507297f20fd3fbda9a8cd426bbcffdeb8e4e8ab1

SHA256
59d9b80d021e8dc40f387d759ce6f77c56330a07352c0238f1768116cf80ebf7

SHA512
53d20ba5739d1205be1b16966d981881ea8c9b0b8c9880b1e407f354e025b6ccae61e653b78d6a9e3d9c5023ff09143b365545c411809b645ac24f8620580416

Download Submit
C:\ProgramData\25353558628460076546.exe

Filesize
3.7MB

MD5
ccf4763882256111f713d881ad7d9aa9

SHA1
507297f20fd3fbda9a8cd426bbcffdeb8e4e8ab1

SHA256
59d9b80d021e8dc40f387d759ce6f77c56330a07352c0238f1768116cf80ebf7

SHA512
53d20ba5739d1205be1b16966d981881ea8c9b0b8c9880b1e407f354e025b6ccae61e653b78d6a9e3d9c5023ff09143b365545c411809b645ac24f8620580416

Download Submit
C:\ProgramData\25353558628460076546.exe

Filesize
3.7MB

MD5
ccf4763882256111f713d881ad7d9aa9

SHA1
507297f20fd3fbda9a8cd426bbcffdeb8e4e8ab1

SHA256
59d9b80d021e8dc40f387d759ce6f77c56330a07352c0238f1768116cf80ebf7

SHA512
53d20ba5739d1205be1b16966d981881ea8c9b0b8c9880b1e407f354e025b6ccae61e653b78d6a9e3d9c5023ff09143b365545c411809b645ac24f8620580416

Download Submit
C:\ProgramData\25612263621361120887053154

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\ProgramData\31578872038675573144739413

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\ProgramData\34198067022304709106294164

Filesize
92KB

MD5
4b609cebb20f08b79628408f4fa2ad42

SHA1
f725278c8bc0527c316e01827f195de5c9a8f934

SHA256
2802818c570f9da1ce2e2fe2ff12cd3190b4c287866a3e4dfe2ad3a7df4cecdf

SHA512
19111811722223521c8ef801290e2d5d8a49c0800363b9cf4232ca037dbcc515aa16ba6c043193f81388260db0e9a7cdb31b0da8c7ffa5bcad67ddbd842e2c60

Download Submit
C:\ProgramData\50270056721997252021056399

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\ProgramData\65569206102458577514652260

Filesize
20KB

MD5
0a822e5ef56b686356983d91d92b67d8

SHA1
0d6627e129cf2f6a49b89c91c9ac59cc37999ce9

SHA256
77425f2a345ae02bee9acd37a6e69d6d504550103d4c92393f01fe700de5a95b

SHA512
3e56df9414f8b3c628d5375000871640751e054308cde0e5fb7307a60847aa36606db723ffefa8577eb5b692057bafe1f396b30a69bb5f5b00e99b8160e6815d

Download Submit
C:\ProgramData\77480859290401229787409767

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\ProgramData\77480859290401229787409767

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\ProgramData\88950757637236479474.exe

Filesize
3.7MB

MD5
ccf4763882256111f713d881ad7d9aa9

SHA1
507297f20fd3fbda9a8cd426bbcffdeb8e4e8ab1

SHA256
59d9b80d021e8dc40f387d759ce6f77c56330a07352c0238f1768116cf80ebf7

SHA512
53d20ba5739d1205be1b16966d981881ea8c9b0b8c9880b1e407f354e025b6ccae61e653b78d6a9e3d9c5023ff09143b365545c411809b645ac24f8620580416

Download Submit
C:\ProgramData\88950757637236479474.exe

Filesize
3.7MB

MD5
ccf4763882256111f713d881ad7d9aa9

SHA1
507297f20fd3fbda9a8cd426bbcffdeb8e4e8ab1

SHA256
59d9b80d021e8dc40f387d759ce6f77c56330a07352c0238f1768116cf80ebf7

SHA512
53d20ba5739d1205be1b16966d981881ea8c9b0b8c9880b1e407f354e025b6ccae61e653b78d6a9e3d9c5023ff09143b365545c411809b645ac24f8620580416

Download Submit
C:\ProgramData\freebl3.dll

Filesize
669KB

MD5
550686c0ee48c386dfcb40199bd076ac

SHA1
ee5134da4d3efcb466081fb6197be5e12a5b22ab

SHA256
edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa

SHA512
0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

Download Submit
C:\ProgramData\freebl3.dll

Filesize
669KB

MD5
550686c0ee48c386dfcb40199bd076ac

SHA1
ee5134da4d3efcb466081fb6197be5e12a5b22ab

SHA256
edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa

SHA512
0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

Download Submit
C:\ProgramData\freebl3.dll

Filesize
669KB

MD5
550686c0ee48c386dfcb40199bd076ac

SHA1
ee5134da4d3efcb466081fb6197be5e12a5b22ab

SHA256
edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa

SHA512
0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\mozglue.dll

Filesize
320KB

MD5
359529e3fd3d1ef484b67ce5f3483d56

SHA1
d27c94914883ec2b7f6feab7b0f77d264a578c96

SHA256
4310414b8cf4ed75a52c8147b07d9fe4b03c818560878aaf829eff16fc172b50

SHA512
594dffe2101d93f6f9d16a9923c554025846c7df707d73c3a7c12545a39f3bf11243514b1aa351b99fc2bd5b96b944a4644fb02386eb59e969ca7b2d47744f41

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\softokn3.dll

Filesize
251KB

MD5
4e52d739c324db8225bd9ab2695f262f

SHA1
71c3da43dc5a0d2a1941e874a6d015a071783889

SHA256
74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

SHA512
2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

Download Submit
C:\ProgramData\softokn3.dll

Filesize
251KB

MD5
4e52d739c324db8225bd9ab2695f262f

SHA1
71c3da43dc5a0d2a1941e874a6d015a071783889

SHA256
74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

SHA512
2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

Download Submit
C:\ProgramData\softokn3.dll

Filesize
112KB

MD5
f61ba44ac31155865b6c3ea37baed463

SHA1
d640184db9ef513eef5d6d32c2afdf642b8644d9

SHA256
aa2b3d7fab2990d45da44aa3af546f4737ef6255083789c08e588bff986dd050

SHA512
fe74ebf81c1047f3bcca5996a850fea5b2593516c1c076b758d56a862980c24845a0727f983ab071660461d0aea7e62f027f719dd80a07428c012169903a43e4

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
1KB

MD5
965e643d41d2bc128e3bcd222b366534

SHA1
a580ba9f4551dcb826fd64df155e84441ab3d38f

SHA256
646fe5ec9d6610c10506e3010199e474439ff35d4ea3b978b8b0aa768f3c94b0

SHA512
410f71e75046b52ec5f22aa49660f75f75593b79c050c8ce8eed9e7e7d00b6938f2f784a1007be9618c8bb30b15fb1ee855845ef91303f2c69e7b09299fe3153

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\70C71DBB8B7D2BBCA12DF82826D851E0_278EAB15C57802B8465F5CA2986E9B30

Filesize
1KB

MD5
fc9db7199a674e2dfebc7e727d99a9d9

SHA1
fc5223fb3a5aac2efc351a2e88bd21da775e011c

SHA256
6ed39986a4c889fde041b1a1a765a9c9010afbbea45be0ae01b0e54008e7a8a1

SHA512
518b5b1b8438387dd48c98b141221b33fca64cf1407e007c04f395607c6eb59d3df203290015e40b87767dd4c9f66c50de5b94b8e841808cbecfc48dea085d4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
1KB

MD5
dc9cff177000842f2a6012e44187a7ac

SHA1
d21b0e775cc8da0aa8ff411a9fca7d824d9c9d9e

SHA256
42ec597f23785bd1abab286493d81952a9484684bca351c01e711cca2fae0d40

SHA512
7631b223d6af02e592630e758fa368bc1fd6895f9f0bbe611bffd9df73bcfb7c8c0b0b03f87c727809e24174c88b7b40648da45426dce33e36576b4490a6b652

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
450B

MD5
ef5d9d3ff45cba797e5e9dc04a95b753

SHA1
3a644e93f02f1a8696ac6cae4f3f55ddd3d7edb3

SHA256
9482243fbfdd76e71a9438b3fb792d106f1fe62ce3a76641aae35b7a3e0703e8

SHA512
8b6e00475a1cc4edcd532dab2f9947e833dac4dae2fac4acc2df4028b8c30a1e8e10d2f083369be8502daa9c1ca03109a540a2fe87adbc5c227489b4e89503f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\70C71DBB8B7D2BBCA12DF82826D851E0_278EAB15C57802B8465F5CA2986E9B30

Filesize
474B

MD5
1560fe86c1e90b3198a85511f51a7fbc

SHA1
6b272c26f1f4428b0234af25eb8d3a8ff33965e5

SHA256
1c420bed48a72ed8b2a2c103cc034e829a0561fb5347235629df735a09d19b37

SHA512
7418999794c5c1fdbf22a6dfe83056fe12ea867effe396a12550ef31b39803ebc64a47b7239f6e60b71841b501735bf9e85739a41ae3c1858302d6032c35af16

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
458B

MD5
5e742aec0c83368a06cc00e076d34fa3

SHA1
95710d82a5f636212fb58690e765931e6c51603c

SHA256
7ffffbc35d86bd29664f0230e42883ee7e157f12e12ecb8c6d54a961e1ac1128

SHA512
4ac1bed358d7366b10b3fef4996e4104710c3631e09177aae99a5747e6bf47345bfcb499cce027073a47e70e9b57ccc09f178851b14d7b7f85c44c4a1eaed0ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0820611471c1bb55fa7be7430c7c6329

SHA1
5ce7a9712722684223aced2522764c1e3a43fbb9

SHA256
f00d04749a374843bd118b41f669f8b0a20d76526c34b554c3ccac5ebd2f4f75

SHA512
77ea022b4265f3962f5e07a0a790f428c885da0cc11be0975285ce0eee4a2eec0a7cda9ea8f366dc2a946679b5dd927c5f94b527de6515856b68b8d08e435148

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
425e83cc5a7b1f8edfbec7d986058b01

SHA1
432a90a25e714c618ff30631d9fdbe3606b0d0df

SHA256
060a2e5f65b8f3b79a8d4a0c54b877cfe032f558beb0888d6f810aaeef8579bd

SHA512
4bf074de60e7849ade26119ef778fe67ea47691efff45f3d5e0b25de2d06fcc6f95a2cfcdbed85759a5c078bb371fe57de725babda2f44290b4dc42d7b6001af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
fe1379d1cf9746dafeea4331f88d2900

SHA1
dd37d48c32a6d5014a4b329f37bb2aa90f353a1c

SHA256
4e095e733985f1f6bb058c75a6b10dbbf9c2b450904b12c3a84feff6290fb020

SHA512
a6a2acd787b4d3dcbc626bf18fcdc7c98db01182a6a516446ebb09ad55c64a6e5ef9485760895c27b6d6959fc73dca537fcaf1397a75ef4879001c10954e610c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
3a06c6786b106b99e9a735824549579e

SHA1
f1e554de77415abaafdb15d75e16d01e61bddc85

SHA256
9afa10c4aace3fd3bde1c800fa2c7a9d1cb4e88432560980b218fd7c339cf17f

SHA512
02f753eefb6cab6f5c5a307de88d96a7ccb843b5197981219db511211125143d5379780eaf78fd770ea64f2cdedd18b8309a7a0d13d0823728847bc88fe6569d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
0a822e5ef56b686356983d91d92b67d8

SHA1
0d6627e129cf2f6a49b89c91c9ac59cc37999ce9

SHA256
77425f2a345ae02bee9acd37a6e69d6d504550103d4c92393f01fe700de5a95b

SHA512
3e56df9414f8b3c628d5375000871640751e054308cde0e5fb7307a60847aa36606db723ffefa8577eb5b692057bafe1f396b30a69bb5f5b00e99b8160e6815d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
cb5d3dba5f839610d711622386abbf90

SHA1
28d93e1b5067837581b440505ffa7f35e5ee73c9

SHA256
9267d5cac8555627f0bd3b5baced1c911ac783ab863d6a9c2e44f3aa7fe251f8

SHA512
2def32df0e8830bbcf28b10a10beedb95f184dfbe232287fd8f7258a4b28b392eab787541f573c67365f85176cb18f1e7f356913c09ac93a5ac6b734fba2ee4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
9e836063018e408d62fb99a9c90b708a

SHA1
d7c9b7446557e579dbf3a342237b300e2c6c3c6c

SHA256
c84e1f51741856455d8d33b313b7ba8527f84db793e83086c7794e55b02bbc03

SHA512
feeba0bfe9d79437a0b7510e6d6dfe03b7657252a8c4c1fdf0c32d4deca5e8b5531bab712be4f2ff03f146161900b211d57e2d28c81e91f9e3bc2e176186f43c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
188aa55d0a8d80802247540ec444228d

SHA1
15d9dd391ab6f0ec616221f840b4caff8f38a4eb

SHA256
5e36ddd1d0806e39897f7121a44030ea29a8e2819c32610f5df5ecb7f234bbe4

SHA512
b36ba7ce3ebc3cb909b49ed0e804385926822b011cddb38e0c8c53f494a0b39b959ef3f495e3e57646e0385c28739ca966f82d5ae34024550f52026b157d1f29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cbfcd8e08aae6f10ca3a236e9d06a1b0

SHA1
4b54773ec2a33ae76171eb941543d7a34e0e7421

SHA256
9f77dd9330c776768702354b74246e0b74c86c5bddbd87b2e3c1b6c4b0fea6dc

SHA512
7b68320b0721d68b5893603944f281900ca06c97970930fa9ef442d80b2ffd63eec754241135580442c5999d9607568de5b89f8625c99b12e869ecbb0b1751ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7d9aed54bc93e29bc3281d40876aadc8

SHA1
6398c9e6d34b2d47c64aead22f456c64a67f350e

SHA256
67238ac7703ad69522230c66b61b850b74838115aa49b56e641c7cfb420dc2da

SHA512
b530a3dc2622a87bcde3450fa22c947a154899ef92b4d64f1ec458d1b6e3f8fab7c782cc0f2761a89d33ccc8651706d341d5d2e5c952685eda4bbc77a91864e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
ea01039389e11936940320e31f3ae617

SHA1
c0c8107a882e9b3221b94c9012de75a9168250fa

SHA256
e49be0f97f084c7fe97fad0d11af97974aab4d468d9350a7cc8fdb4e043875d2

SHA512
534ed5daa51ec563adf448f1d1e97d69be7e46e0b83e9c2dc5b83334d6526b32cb9b83e1be9403bfdad476a6ed4db44962d6e556a4f44b4f7e4faf1f46e760e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d2eaf8de3173d3395c5a5450770d12dc

SHA1
54bed0a40a0a4d1aab261855d0dd437e328ffeaf

SHA256
2542c686b387febf461a1b64fe2adb8dc9cb123241b8155e2c0ce62d08badbfc

SHA512
d75105e3c71a3517c70837c48eb5a5425107788f2f5b72ab65bf299009b40efeaf879dd8aaf15b15a45d1be9145711e3ca674121ecc2b2e08d4436ff8653ead8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
30f570d0628a6b5cc56d374410c82e45

SHA1
8c47e6508ffe3719a266787ee866ccd1db5284e2

SHA256
5679be6f2644094613232f94c9db52b0253a039673c00da5ff0ecbd570203d99

SHA512
8f38e7c27cc790ff694ba34e2d6bc2aa4b12b87a09d141fa17caa93451eb59ee5742f8db3e9cf99ac90b1d1e967aadff8a024526f53019b078f8499b67d34120

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
d53ac35ab3976e67caeed75c4d44ffc1

SHA1
c139ab66d75dc06f98ada34b5baf4d5693266176

SHA256
647867c7236bcb78b7d585b476d82a101a077fac43c78dc59e612253fbf69437

SHA512
391355c71734ded913239a6db10a3202087e756bccc8e29411108f21b3f2460d9a9c606619aadd785285be70eddcf61ef9519441cd387cd3823c1399a6967cc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
bc5f988722f72244e9a4aa8e1d6a0ee2

SHA1
4a132601b1d75fe013d364df95b711223eb9f742

SHA256
8ae99505d61450350ed2799d1bcca3cf9bcd4dd2e6a99cfcfcb2e929704592d9

SHA512
be7c42520bfe8aa8a966881190240bfef15471e84c4dad78ee3c3c0adc14d02e24f6eb950a68914d5870d51c4e91e42cb91eaedc69c360cb9cdc70c40d0cea2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
871B

MD5
877d7a17bcc4b44bf9a1a9f0d7ee52d9

SHA1
1a2d1b60c3a52dc168ec40be081eada9e14ee184

SHA256
34c24c7173e3e9ab29e552b1e146efd2d926198d7bc88b6bdf3fcf34552bc4f5

SHA512
bedfdabff1f6302dc43b25474f211259856f9e253f281e0b66b09c10bf2f825f9697ecccca1c3a2ffdfb55ae11491791f88f8e55594d45fd002b11089e041bf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
871B

MD5
d1d53612e78790214c37b216c31e3f64

SHA1
fb5393087bfd276074aa32cd74353fc303670c50

SHA256
1efe76e0d2491b08d0b13aaa85afcc9249bc957547037e82ba4567259159f700

SHA512
2626643691aff5053afea541f497152eefb38844be9f4266d06aab2afab4dc1438dbd1d9669067dab6c15b64a3288d97d3954c85d042d36b6fe059810be0ffa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
871B

MD5
57080218edc79e27a1317cc7e76ac2af

SHA1
53d3d52c4e0d755db3adaa344f4a86bedd31ab0c

SHA256
d4817d6164536cab33659aa40cbc7b64726362304fafdc91856f690013e90879

SHA512
e1c0afe6cd619125e83ae730c07a9170aedb5dc4d67641380b7fc7e8947fa1e4040f87bda879473c4610da259128af4da8a98c1855a9ce23d7c19e2aab729d95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe56d6ec.TMP

Filesize
704B

MD5
cae826aa48bb77da1909f3ad59fba3a4

SHA1
f26e41376bd6238c97659aa31e8bc05148068ac5

SHA256
6734113a366346a776d65826c58e770c449d412a5adf50f9f3866efce17c8723

SHA512
d1a6089699ae5f81febd7c7605592eee73a08afaa8c09fa76b013bae2ff9f14012323b82b9da308b496ac05b3d01bb8e0af17c434ad7ae8b4f3c704de2878ec5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
7e9eb8fbe75a00ffea63408a0abad001

SHA1
03b1a335f5dbfeef3c11d95ba1863026d57e7139

SHA256
58d5418767a5800c115cd69198d8f5a4b5695facecc09f06acec0dfac0a84ad8

SHA512
f5327a1695323e1e2a10e496b1e527855e5b207e147d5ea122d51eacc54affd4665cd20e8929496c46044c89e8726c069b18e5c58c1c2021d4e01bfd6aebea80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
13KB

MD5
faca0290cafe89aae5966c0b795c68d9

SHA1
7f56255b46cf81d096c48f0c6f682b121ece3a81

SHA256
86aafd731839d8b71184cf5689ff2a05eed42a5bab4ebda3dd4c3b806420e906

SHA512
0d480c4c5bf45ac44b3c534147da021b37ab77fe5e3dfc53fd0c4a11d723cd0fef143ad5bcf1d9bf2604fc08d70b093ea1457aa4c1e89e5a5fab1a1157b5757e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
309c07715e9ca6a8e3c0983d030ab5aa

SHA1
cda695dc7bfce8fc69d62e7628570df841085a69

SHA256
312107fbf8a531f914cb7ee6d5b2c33c3456bb690e99f26db68179338d1e085e

SHA512
adec1994a1f215d25e3251d0d8598b60f0046e947c0fcc965ad0787b82f31cdb1a7a027c574ace08c5b944f9572376e623cd78a1f545e0cfed03cd6ad627f567

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
13KB

MD5
faca0290cafe89aae5966c0b795c68d9

SHA1
7f56255b46cf81d096c48f0c6f682b121ece3a81

SHA256
86aafd731839d8b71184cf5689ff2a05eed42a5bab4ebda3dd4c3b806420e906

SHA512
0d480c4c5bf45ac44b3c534147da021b37ab77fe5e3dfc53fd0c4a11d723cd0fef143ad5bcf1d9bf2604fc08d70b093ea1457aa4c1e89e5a5fab1a1157b5757e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
b6be7e6fa5380828f5ba86ec94362607

SHA1
bc5cb2e79bb00a357f5cf236fe259a0f36b293d2

SHA256
9edef61bcb3f86d35bda098e71ecd6af8cd0073f37d5e50f9d49dfe6017b1903

SHA512
1d9e528f90ebe5755df894c37d2d782c31484844eb5d7523a061c03763baee892e3e85fde677e81db5cfd0b6b1a1e68dc26d14f6c85cb59fc09985095ce4b851

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
f9d38c84177bb277765a4b47cc883eb6

SHA1
7c7050ffa9011f4ed3a6fb3df0ad245a38abdaa8

SHA256
2c169028775f7ee0c9f575c35ad76fa82896fa16dac29fc07cab05c4d2858861

SHA512
a9a7be075d873016f521f0a7b015dbf46f4a50045ccafad45aaff7c466677a55710eb116c2eb98d14a421ec8447f073e9cd709cca23b1f589789c75f3fee3e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o3dwwlov.avi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
ed469a6762c64339614341725fcaaf4f

SHA1
0d6f5cbc47548a204627696afbb519a73104bc62

SHA256
b454ec1ffbf5b07ba1fb51719a453d69a0924d1f46b93f7b6c400e01ccc29200

SHA512
f204afc593ac5cabb4a7d19802ba2b7c4018fd0bb798e348cd23c7ae9e2bcf7de042a1f81f8097d0478df22f918ad67d2c9eafaa8f26c2753f73d631fe4356e7

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
307.3MB

MD5
b5d1c5aeab6e20d8372f24d5409211fa

SHA1
3fda4d181a02dee74d2a9667f0b7725464eb0185

SHA256
ea7d2a85c495a8c8e2d6150ccd8aa2ac1c864a7e71e2ecf56ce6fb80cf19ba64

SHA512
182d67e1eb9f9601956dea18e9d8c2381fa93d4ae6f166ee1e8c514a014a7ba1e0842f1457fb2e0099b19fc912c5e481d4cbe9ff783bc2062c2643c8d8b84fd6

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
305.7MB

MD5
ca5c2715eef3a54a0b5b36c61c4c0ab8

SHA1
d6cd15d746f93f838964baf8f2df97086c55aff1

SHA256
523a15d5c3e1dc7b621ee3c5e7a6177aaeba19e9efb2656f0af875e23fd94089

SHA512
712320ecab6bc92c268564a3b965a6c363a63ec6632c24c51909c183493bb09deb3efec7a287a3e7c868a073ea4cc215466a2c75650621ffe6e449eebf1e2dc9

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 781532.crdownload

Filesize
7.9MB

MD5
a0638548ba0b039ef86cab79b7d6a925

SHA1
e6b84bc5eaf1e7a505e2bd34536e3cd491422a15

SHA256
a063e4a346ef47f4c739515e005fe1bb2d3f887e093408775f0479c29c5bfbea

SHA512
e863f8b4a20e5cb7f91d33b41ca1356e2fcf3bca50b252a23902a208284b5c5c05e65b7f1977220766ae7440944f908b156f58edf4b6354ebffcb192fbee17e5

Download Submit
memory/60-822-0x0000000000A70000-0x00000000011C1000-memory.dmp

Filesize
7.3MB

Download
memory/1384-774-0x0000000000A70000-0x00000000011C1000-memory.dmp

Filesize
7.3MB

Download
memory/1624-811-0x0000000000A70000-0x00000000011C1000-memory.dmp

Filesize
7.3MB

Download
memory/1784-801-0x0000000000A70000-0x00000000011C1000-memory.dmp

Filesize
7.3MB

Download
memory/2188-775-0x0000000000A70000-0x00000000011C1000-memory.dmp

Filesize
7.3MB

Download
memory/2196-1036-0x0000000000150000-0x000000000099C000-memory.dmp

Filesize
8.3MB

Download
memory/2196-1025-0x0000000000150000-0x000000000099C000-memory.dmp

Filesize
8.3MB

Download
memory/2276-825-0x0000000000A70000-0x00000000011C1000-memory.dmp

Filesize
7.3MB

Download
memory/2276-834-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2416-770-0x0000000000A70000-0x00000000011C1000-memory.dmp

Filesize
7.3MB

Download
memory/2540-809-0x0000000000A70000-0x00000000011C1000-memory.dmp

Filesize
7.3MB

Download
memory/3552-808-0x0000000000A70000-0x00000000011C1000-memory.dmp

Filesize
7.3MB

Download
memory/3768-1026-0x0000000000050000-0x000000000089C000-memory.dmp

Filesize
8.3MB

Download
memory/3768-1002-0x0000000000050000-0x000000000089C000-memory.dmp

Filesize
8.3MB

Download
memory/3772-786-0x0000000000A70000-0x00000000011C1000-memory.dmp

Filesize
7.3MB

Download
memory/3804-144-0x000001F328790000-0x000001F3287A0000-memory.dmp

Filesize
64KB

Download
memory/3804-145-0x000001F328790000-0x000001F3287A0000-memory.dmp

Filesize
64KB

Download
memory/3804-143-0x000001F328790000-0x000001F3287A0000-memory.dmp

Filesize
64KB

Download
memory/3804-138-0x000001F32A910000-0x000001F32A932000-memory.dmp

Filesize
136KB

Download
memory/4168-765-0x0000000000A70000-0x00000000011C1000-memory.dmp

Filesize
7.3MB

Download
memory/4180-768-0x0000000000A70000-0x00000000011C1000-memory.dmp

Filesize
7.3MB

Download
memory/4500-802-0x0000000000A70000-0x00000000011C1000-memory.dmp

Filesize
7.3MB

Download
memory/4752-814-0x0000000000A70000-0x00000000011C1000-memory.dmp

Filesize
7.3MB

Download
memory/5140-780-0x0000000000A70000-0x00000000011C1000-memory.dmp

Filesize
7.3MB

Download
memory/5432-915-0x0000000000550000-0x0000000000D9C000-memory.dmp

Filesize
8.3MB

Download
memory/5432-996-0x0000000000550000-0x0000000000D9C000-memory.dmp

Filesize
8.3MB

Download
memory/5432-1001-0x0000000000550000-0x0000000000D9C000-memory.dmp

Filesize
8.3MB

Download
memory/5468-791-0x0000000000A70000-0x00000000011C1000-memory.dmp

Filesize
7.3MB

Download
memory/5504-782-0x0000000000A70000-0x00000000011C1000-memory.dmp

Filesize
7.3MB

Download
memory/5568-807-0x0000000000A70000-0x00000000011C1000-memory.dmp

Filesize
7.3MB

Download
memory/6040-1219-0x0000000000110000-0x000000000095C000-memory.dmp

Filesize
8.3MB

Download
memory/6040-1196-0x0000000000110000-0x000000000095C000-memory.dmp

Filesize
8.3MB

Download