customerloader | 9d1d5346149f31169406d2b23ec83fc292d561979a4f7819c26e74748d9efab0

max time kernel
967s
max time network
1053s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
26/10/2023, 13:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Screenshot 2023-10-25 08.11.54.png
Size

13KB
MD5

51e504750e157c50fd5f07ae7643639a
SHA1

aac2c4a1fd69fef7bff8c7447a6d13fa8a9a7452
SHA256

9d1d5346149f31169406d2b23ec83fc292d561979a4f7819c26e74748d9efab0
SHA512

b84134b916a1b91ced634997dbb810f77baa398e0e2c485db5a245e13609398d2c2e88dc6dec8080a769739125030aad33ca526480c67f46791537132020579b
SSDEEP

384:MjreO3cNJHZf1wup3chMjNuMQBmiL4htpBKdBZ:83Kbfmup3A+tpC

Score

10^/10

customerloader xworm cryptone downloader loader packer rat trojan

Malware Config

Signatures

Customer Loader
Customer Loader is a downloader written in C#.
downloader loader customerloader

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral2/files/0x0006000000022ee7-526.dat	family_xworm
behavioral2/files/0x0006000000022ee7-545.dat	family_xworm
behavioral2/files/0x0006000000022ee7-552.dat	family_xworm
behavioral2/files/0x0006000000022ee7-1251.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

CryptOne packer 4 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

resource	yara_rule
behavioral2/files/0x0006000000022ee7-526.dat	cryptone
behavioral2/files/0x0006000000022ee7-545.dat	cryptone
behavioral2/files/0x0006000000022ee7-552.dat	cryptone
behavioral2/files/0x0006000000022ee7-1251.dat	cryptone

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	EV3 Classroom-win-1.5.3.4056.exe

Executes dropped EXE 4 IoCs

pid	Process
3100	EV3 Classroom-win-1.5.3.4056.exe
4700	EV3 Classroom-win-1.5.3.4056.exe
3940	EV3 Classroom-win-1.5.3.4056.exe
560	EV3 Classroom-win-1.5.3.4056.exe

Loads dropped DLL 64 IoCs

pid	Process
1708	MsiExec.exe
4700	EV3 Classroom-win-1.5.3.4056.exe
4700	EV3 Classroom-win-1.5.3.4056.exe
3100	EV3 Classroom-win-1.5.3.4056.exe
4700	EV3 Classroom-win-1.5.3.4056.exe
3100	EV3 Classroom-win-1.5.3.4056.exe
4700	EV3 Classroom-win-1.5.3.4056.exe
3100	EV3 Classroom-win-1.5.3.4056.exe
3100	EV3 Classroom-win-1.5.3.4056.exe
4700	EV3 Classroom-win-1.5.3.4056.exe
3100	EV3 Classroom-win-1.5.3.4056.exe
4700	EV3 Classroom-win-1.5.3.4056.exe
4700	EV3 Classroom-win-1.5.3.4056.exe
4700	EV3 Classroom-win-1.5.3.4056.exe
3100	EV3 Classroom-win-1.5.3.4056.exe
3100	EV3 Classroom-win-1.5.3.4056.exe
3100	EV3 Classroom-win-1.5.3.4056.exe
4700	EV3 Classroom-win-1.5.3.4056.exe
4700	EV3 Classroom-win-1.5.3.4056.exe
4700	EV3 Classroom-win-1.5.3.4056.exe
4700	EV3 Classroom-win-1.5.3.4056.exe
4700	EV3 Classroom-win-1.5.3.4056.exe
4700	EV3 Classroom-win-1.5.3.4056.exe
4700	EV3 Classroom-win-1.5.3.4056.exe
4700	EV3 Classroom-win-1.5.3.4056.exe
4700	EV3 Classroom-win-1.5.3.4056.exe
4700	EV3 Classroom-win-1.5.3.4056.exe
4700	EV3 Classroom-win-1.5.3.4056.exe
4700	EV3 Classroom-win-1.5.3.4056.exe
4700	EV3 Classroom-win-1.5.3.4056.exe
4700	EV3 Classroom-win-1.5.3.4056.exe
4700	EV3 Classroom-win-1.5.3.4056.exe
3100	EV3 Classroom-win-1.5.3.4056.exe
3100	EV3 Classroom-win-1.5.3.4056.exe
3100	EV3 Classroom-win-1.5.3.4056.exe
4700	EV3 Classroom-win-1.5.3.4056.exe
3100	EV3 Classroom-win-1.5.3.4056.exe
3100	EV3 Classroom-win-1.5.3.4056.exe
3100	EV3 Classroom-win-1.5.3.4056.exe
3100	EV3 Classroom-win-1.5.3.4056.exe
4700	EV3 Classroom-win-1.5.3.4056.exe
4700	EV3 Classroom-win-1.5.3.4056.exe
4700	EV3 Classroom-win-1.5.3.4056.exe
4700	EV3 Classroom-win-1.5.3.4056.exe
4700	EV3 Classroom-win-1.5.3.4056.exe
4700	EV3 Classroom-win-1.5.3.4056.exe
4700	EV3 Classroom-win-1.5.3.4056.exe
4700	EV3 Classroom-win-1.5.3.4056.exe
4700	EV3 Classroom-win-1.5.3.4056.exe
4700	EV3 Classroom-win-1.5.3.4056.exe
4700	EV3 Classroom-win-1.5.3.4056.exe
4700	EV3 Classroom-win-1.5.3.4056.exe
4700	EV3 Classroom-win-1.5.3.4056.exe
4700	EV3 Classroom-win-1.5.3.4056.exe
4700	EV3 Classroom-win-1.5.3.4056.exe
4700	EV3 Classroom-win-1.5.3.4056.exe
4700	EV3 Classroom-win-1.5.3.4056.exe
4700	EV3 Classroom-win-1.5.3.4056.exe
3100	EV3 Classroom-win-1.5.3.4056.exe
3100	EV3 Classroom-win-1.5.3.4056.exe
3100	EV3 Classroom-win-1.5.3.4056.exe
3100	EV3 Classroom-win-1.5.3.4056.exe
3100	EV3 Classroom-win-1.5.3.4056.exe
3100	EV3 Classroom-win-1.5.3.4056.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\EV3 Classroom\EV3 Classroom-win-1.5.3.4056.exe	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e64fa20.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{1AA31EDF-1388-40AF-97D3-EF1CCA5E211A}	msiexec.exe
File opened for modification	C:\Windows\Installer\{1AA31EDF-1388-40AF-97D3-EF1CCA5E211A}\icon.ico	msiexec.exe
File created	C:\Windows\Installer\e64fa22.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e64fa20.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI11AF.tmp	msiexec.exe
File created	C:\Windows\Installer\{1AA31EDF-1388-40AF-97D3-EF1CCA5E211A}\icon.ico	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000000299f28d78dcfadf0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800000299f28d0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809000299f28d000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d0299f28d000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000299f28d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1A\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b	msiexec.exe

Modifies registry class 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\p_fileassociation\shell\open\command\ = "\"C:\\Program Files\\EV3 Classroom\\EV3 Classroom-win-1.5.3.4056.exe\" \"%1\""	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FDE13AA18831FA04793DFEC1ACE512A1\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FDE13AA18831FA04793DFEC1ACE512A1\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.lmsp	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FDE13AA18831FA04793DFEC1ACE512A1\ProductFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FDE13AA18831FA04793DFEC1ACE512A1\SourceList\PackageName = "EV3_Classroom_Windows_1.5.3_Global.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FDE13AA18831FA04793DFEC1ACE512A1\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FDE13AA18831FA04793DFEC1ACE512A1\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FDE13AA18831FA04793DFEC1ACE512A1\Version = "17104899"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\80FEA36CFBE3F1D4EA194FC1BBA600E8	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FDE13AA18831FA04793DFEC1ACE512A1\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\p_fileassociation\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\p_fileassociation\shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\p_fileassociation\ = "LEGO® MINDSTORMS® Education EV3 Classroom"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FDE13AA18831FA04793DFEC1ACE512A1	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FDE13AA18831FA04793DFEC1ACE512A1\ProductName = "LEGO® MINDSTORMS® Education EV3 Classroom"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FDE13AA18831FA04793DFEC1ACE512A1\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1873812795-1433807462-1429862679-1000\{855378F1-D2F7-4FAE-B4AE-FBA8DD2AB269}	EV3 Classroom-win-1.5.3.4056.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\p_fileassociation\shell\open	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FDE13AA18831FA04793DFEC1ACE512A1\PackageCode = "80B4AFD46EB06F9479570595D9355868"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FDE13AA18831FA04793DFEC1ACE512A1\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FDE13AA18831FA04793DFEC1ACE512A1\DeploymentFlags = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FDE13AA18831FA04793DFEC1ACE512A1\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FDE13AA18831FA04793DFEC1ACE512A1\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\80FEA36CFBE3F1D4EA194FC1BBA600E8\FDE13AA18831FA04793DFEC1ACE512A1	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1873812795-1433807462-1429862679-1000\{8DB501AE-611B-4490-868A-67DADC475ED7}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\p_fileassociation	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\p_fileassociation\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lmsp\ = "p_fileassociation"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\p_fileassociation	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FDE13AA18831FA04793DFEC1ACE512A1\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FDE13AA18831FA04793DFEC1ACE512A1\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FDE13AA18831FA04793DFEC1ACE512A1\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FDE13AA18831FA04793DFEC1ACE512A1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FDE13AA18831FA04793DFEC1ACE512A1\ProductIcon = "C:\\Windows\\Installer\\{1AA31EDF-1388-40AF-97D3-EF1CCA5E211A}\\icon.ico"	msiexec.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 641858.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
3164	msedge.exe
3164	msedge.exe
1052	msedge.exe
1052	msedge.exe
3508	msedge.exe
3508	msedge.exe
5108	identity_helper.exe
5108	identity_helper.exe
1560	msedge.exe
1560	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
1084	msedge.exe
2396	msedge.exe
2396	msedge.exe
2808	msiexec.exe
2808	msiexec.exe
3940	EV3 Classroom-win-1.5.3.4056.exe
3940	EV3 Classroom-win-1.5.3.4056.exe
560	EV3 Classroom-win-1.5.3.4056.exe
560	EV3 Classroom-win-1.5.3.4056.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2916	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	2720	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2720	AUDIODG.EXE
Token: SeShutdownPrivilege	3860	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3860	msiexec.exe
Token: SeSecurityPrivilege	2808	msiexec.exe
Token: SeCreateTokenPrivilege	3860	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3860	msiexec.exe
Token: SeLockMemoryPrivilege	3860	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3860	msiexec.exe
Token: SeMachineAccountPrivilege	3860	msiexec.exe
Token: SeTcbPrivilege	3860	msiexec.exe
Token: SeSecurityPrivilege	3860	msiexec.exe
Token: SeTakeOwnershipPrivilege	3860	msiexec.exe
Token: SeLoadDriverPrivilege	3860	msiexec.exe
Token: SeSystemProfilePrivilege	3860	msiexec.exe
Token: SeSystemtimePrivilege	3860	msiexec.exe
Token: SeProfSingleProcessPrivilege	3860	msiexec.exe
Token: SeIncBasePriorityPrivilege	3860	msiexec.exe
Token: SeCreatePagefilePrivilege	3860	msiexec.exe
Token: SeCreatePermanentPrivilege	3860	msiexec.exe
Token: SeBackupPrivilege	3860	msiexec.exe
Token: SeRestorePrivilege	3860	msiexec.exe
Token: SeShutdownPrivilege	3860	msiexec.exe
Token: SeDebugPrivilege	3860	msiexec.exe
Token: SeAuditPrivilege	3860	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3860	msiexec.exe
Token: SeChangeNotifyPrivilege	3860	msiexec.exe
Token: SeRemoteShutdownPrivilege	3860	msiexec.exe
Token: SeUndockPrivilege	3860	msiexec.exe
Token: SeSyncAgentPrivilege	3860	msiexec.exe
Token: SeEnableDelegationPrivilege	3860	msiexec.exe
Token: SeManageVolumePrivilege	3860	msiexec.exe
Token: SeImpersonatePrivilege	3860	msiexec.exe
Token: SeCreateGlobalPrivilege	3860	msiexec.exe
Token: SeBackupPrivilege	2508	vssvc.exe
Token: SeRestorePrivilege	2508	vssvc.exe
Token: SeAuditPrivilege	2508	vssvc.exe
Token: SeBackupPrivilege	2808	msiexec.exe
Token: SeRestorePrivilege	2808	msiexec.exe
Token: SeRestorePrivilege	2808	msiexec.exe
Token: SeTakeOwnershipPrivilege	2808	msiexec.exe
Token: SeBackupPrivilege	4348	srtasks.exe
Token: SeRestorePrivilege	4348	srtasks.exe
Token: SeSecurityPrivilege	4348	srtasks.exe
Token: SeTakeOwnershipPrivilege	4348	srtasks.exe
Token: SeBackupPrivilege	4348	srtasks.exe
Token: SeRestorePrivilege	4348	srtasks.exe
Token: SeSecurityPrivilege	4348	srtasks.exe
Token: SeTakeOwnershipPrivilege	4348	srtasks.exe
Token: SeRestorePrivilege	2808	msiexec.exe
Token: SeTakeOwnershipPrivilege	2808	msiexec.exe
Token: SeRestorePrivilege	2808	msiexec.exe
Token: SeTakeOwnershipPrivilege	2808	msiexec.exe
Token: SeRestorePrivilege	2808	msiexec.exe
Token: SeTakeOwnershipPrivilege	2808	msiexec.exe
Token: SeRestorePrivilege	2808	msiexec.exe
Token: SeTakeOwnershipPrivilege	2808	msiexec.exe
Token: SeRestorePrivilege	2808	msiexec.exe
Token: SeTakeOwnershipPrivilege	2808	msiexec.exe
Token: SeRestorePrivilege	2808	msiexec.exe
Token: SeTakeOwnershipPrivilege	2808	msiexec.exe
Token: SeRestorePrivilege	2808	msiexec.exe
Token: SeTakeOwnershipPrivilege	2808	msiexec.exe
Token: SeRestorePrivilege	2808	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3860	msiexec.exe
3860	msiexec.exe
3508	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2916	OpenWith.exe
3816	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 3708	4916	msedge.exe	114
PID 4916 wrote to memory of 3708	4916	msedge.exe	114
PID 4916 wrote to memory of 1868	4916	msedge.exe	115
PID 4916 wrote to memory of 1868	4916	msedge.exe	115
PID 4916 wrote to memory of 1868	4916	msedge.exe	115
PID 4916 wrote to memory of 1868	4916	msedge.exe	115
PID 4916 wrote to memory of 1868	4916	msedge.exe	115
PID 4916 wrote to memory of 1868	4916	msedge.exe	115
PID 4916 wrote to memory of 1868	4916	msedge.exe	115
PID 4916 wrote to memory of 1868	4916	msedge.exe	115
PID 4916 wrote to memory of 1868	4916	msedge.exe	115
PID 4916 wrote to memory of 1868	4916	msedge.exe	115
PID 4916 wrote to memory of 1868	4916	msedge.exe	115
PID 4916 wrote to memory of 1868	4916	msedge.exe	115
PID 4916 wrote to memory of 1868	4916	msedge.exe	115
PID 4916 wrote to memory of 1868	4916	msedge.exe	115
PID 4916 wrote to memory of 1868	4916	msedge.exe	115
PID 4916 wrote to memory of 1868	4916	msedge.exe	115
PID 4916 wrote to memory of 1868	4916	msedge.exe	115
PID 4916 wrote to memory of 1868	4916	msedge.exe	115
PID 4916 wrote to memory of 1868	4916	msedge.exe	115
PID 4916 wrote to memory of 1868	4916	msedge.exe	115
PID 4916 wrote to memory of 1868	4916	msedge.exe	115
PID 4916 wrote to memory of 1868	4916	msedge.exe	115
PID 4916 wrote to memory of 1868	4916	msedge.exe	115
PID 4916 wrote to memory of 1868	4916	msedge.exe	115
PID 4916 wrote to memory of 1868	4916	msedge.exe	115
PID 4916 wrote to memory of 1868	4916	msedge.exe	115
PID 4916 wrote to memory of 1868	4916	msedge.exe	115
PID 4916 wrote to memory of 1868	4916	msedge.exe	115
PID 4916 wrote to memory of 1868	4916	msedge.exe	115
PID 4916 wrote to memory of 1868	4916	msedge.exe	115
PID 4916 wrote to memory of 1868	4916	msedge.exe	115
PID 4916 wrote to memory of 1868	4916	msedge.exe	115
PID 4916 wrote to memory of 1868	4916	msedge.exe	115
PID 4916 wrote to memory of 1868	4916	msedge.exe	115
PID 4916 wrote to memory of 1868	4916	msedge.exe	115
PID 4916 wrote to memory of 1868	4916	msedge.exe	115
PID 4916 wrote to memory of 1868	4916	msedge.exe	115
PID 4916 wrote to memory of 1868	4916	msedge.exe	115
PID 4916 wrote to memory of 1868	4916	msedge.exe	115
PID 4916 wrote to memory of 1868	4916	msedge.exe	115
PID 4916 wrote to memory of 3164	4916	msedge.exe	116
PID 4916 wrote to memory of 3164	4916	msedge.exe	116
PID 4916 wrote to memory of 2280	4916	msedge.exe	117
PID 4916 wrote to memory of 2280	4916	msedge.exe	117
PID 4916 wrote to memory of 2280	4916	msedge.exe	117
PID 4916 wrote to memory of 2280	4916	msedge.exe	117
PID 4916 wrote to memory of 2280	4916	msedge.exe	117
PID 4916 wrote to memory of 2280	4916	msedge.exe	117
PID 4916 wrote to memory of 2280	4916	msedge.exe	117
PID 4916 wrote to memory of 2280	4916	msedge.exe	117
PID 4916 wrote to memory of 2280	4916	msedge.exe	117
PID 4916 wrote to memory of 2280	4916	msedge.exe	117
PID 4916 wrote to memory of 2280	4916	msedge.exe	117
PID 4916 wrote to memory of 2280	4916	msedge.exe	117
PID 4916 wrote to memory of 2280	4916	msedge.exe	117
PID 4916 wrote to memory of 2280	4916	msedge.exe	117
PID 4916 wrote to memory of 2280	4916	msedge.exe	117
PID 4916 wrote to memory of 2280	4916	msedge.exe	117
PID 4916 wrote to memory of 2280	4916	msedge.exe	117
PID 4916 wrote to memory of 2280	4916	msedge.exe	117
PID 4916 wrote to memory of 2280	4916	msedge.exe	117
PID 4916 wrote to memory of 2280	4916	msedge.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Screenshot 2023-10-25 08.11.54.png"
1⤵
PID:3748

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4c0 0x440
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultb20e3ad4ha475h450ch8532h35593735ab32
1⤵
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffdfd5e46f8,0x7ffdfd5e4708,0x7ffdfd5e4718
  2⤵
  PID:3708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,12564038697735030837,18291867149197182943,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
  2⤵
  PID:1868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,12564038697735030837,18291867149197182943,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2504 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,12564038697735030837,18291867149197182943,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8
  2⤵
  PID:2280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5072

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:2716

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2916

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3816

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\UpdateRestart.mht
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdfd5e46f8,0x7ffdfd5e4708,0x7ffdfd5e4718
  2⤵
  PID:2340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,1342801438803971069,2981731407373971635,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,1342801438803971069,2981731407373971635,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
  2⤵
  PID:2360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,1342801438803971069,2981731407373971635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
  2⤵
  PID:1884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1342801438803971069,2981731407373971635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:1396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1342801438803971069,2981731407373971635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:2952
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,1342801438803971069,2981731407373971635,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8
  2⤵
  PID:2252
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,1342801438803971069,2981731407373971635,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1342801438803971069,2981731407373971635,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
  2⤵
  PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1342801438803971069,2981731407373971635,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
  2⤵
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1342801438803971069,2981731407373971635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1342801438803971069,2981731407373971635,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:3316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1342801438803971069,2981731407373971635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:3412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1342801438803971069,2981731407373971635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1342801438803971069,2981731407373971635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1342801438803971069,2981731407373971635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2148,1342801438803971069,2981731407373971635,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3416 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2148,1342801438803971069,2981731407373971635,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5428 /prefetch:8
  2⤵
  PID:2252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1342801438803971069,2981731407373971635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:1352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1342801438803971069,2981731407373971635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1342801438803971069,2981731407373971635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1920 /prefetch:1
  2⤵
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2148,1342801438803971069,2981731407373971635,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  PID:1244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1342801438803971069,2981731407373971635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:1
  2⤵
  PID:1816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1342801438803971069,2981731407373971635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,1342801438803971069,2981731407373971635,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6604 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,1342801438803971069,2981731407373971635,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2396
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\EV3_Classroom_Windows_1.5.3_Global.msi"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3860

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4296

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:368

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4348
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2FCA0F9F5857A12F36F543AD4BE3178C C
  2⤵
  - Loads dropped DLL
  PID:1708
- - C:\Program Files\EV3 Classroom\EV3 Classroom-win-1.5.3.4056.exe
    "C:\Program Files\EV3 Classroom\EV3 Classroom-win-1.5.3.4056.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3100
  - - C:\Program Files\EV3 Classroom\EV3 Classroom-win-1.5.3.4056.exe
      "C:\Program Files\EV3 Classroom\EV3 Classroom-win-1.5.3.4056.exe" --type=gpu-process --field-trial-handle=2224,15773424565309028878,10990930352164771525,131072 --enable-features=CastMediaRouteProvider --disable-features=HardwareMediaKeyHandling --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\MINDSTORMS_EDU\CefSharp\debug.log" --lang=en-US --cefsharpexitsub --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Users\Admin\AppData\Roaming\MINDSTORMS_EDU\CefSharp\debug.log" --mojo-platform-channel-handle=2248 /prefetch:2 --host-process-id=3100
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      PID:3940
  - - C:\Program Files\EV3 Classroom\EV3 Classroom-win-1.5.3.4056.exe
      "C:\Program Files\EV3 Classroom\EV3 Classroom-win-1.5.3.4056.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2224,15773424565309028878,10990930352164771525,131072 --enable-features=CastMediaRouteProvider --disable-features=HardwareMediaKeyHandling --lang=en-US --service-sandbox-type=network --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\MINDSTORMS_EDU\CefSharp\debug.log" --lang=en-US --cefsharpexitsub --log-file="C:\Users\Admin\AppData\Roaming\MINDSTORMS_EDU\CefSharp\debug.log" --mojo-platform-channel-handle=2504 /prefetch:8 --host-process-id=3100
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:560
  - - C:\Program Files\EV3 Classroom\EV3 Classroom-win-1.5.3.4056.exe
      "C:\Program Files\EV3 Classroom\EV3 Classroom-win-1.5.3.4056.exe" --type=renderer --no-sandbox --autoplay-policy=no-user-gesture-required --log-file="C:\Users\Admin\AppData\Roaming\MINDSTORMS_EDU\CefSharp\debug.log" --field-trial-handle=2224,15773424565309028878,10990930352164771525,131072 --enable-features=CastMediaRouteProvider --disable-features=HardwareMediaKeyHandling --lang=en-US --log-file="C:\Users\Admin\AppData\Roaming\MINDSTORMS_EDU\CefSharp\debug.log" --cefsharpexitsub --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=4512 /prefetch:1 --host-process-id=3100
      4⤵
      PID:2940
  - - C:\Program Files\EV3 Classroom\EV3 Classroom-win-1.5.3.4056.exe
      "C:\Program Files\EV3 Classroom\EV3 Classroom-win-1.5.3.4056.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2224,15773424565309028878,10990930352164771525,131072 --enable-features=CastMediaRouteProvider --disable-features=HardwareMediaKeyHandling --lang=en-US --service-sandbox-type=audio --no-sandbox --log-file="C:\Users\Admin\AppData\Roaming\MINDSTORMS_EDU\CefSharp\debug.log" --lang=en-US --cefsharpexitsub --log-file="C:\Users\Admin\AppData\Roaming\MINDSTORMS_EDU\CefSharp\debug.log" --mojo-platform-channel-handle=3644 /prefetch:8 --host-process-id=3100
      4⤵
      PID:3284

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2508

C:\Program Files\EV3 Classroom\EV3 Classroom-win-1.5.3.4056.exe
"C:\Program Files\EV3 Classroom\EV3 Classroom-win-1.5.3.4056.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4700

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4c0 0x440
1⤵
PID:4368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e64fa21.rbs

Filesize
8KB

MD5
80dd0f654ef5b52db3435e66551abd60

SHA1
a6189614588dc91d09040faf797ae2d92484cfb9

SHA256
dfa551324a65ff73ebf988f284444bd892d673d03bde0254e45eac6bc356ccee

SHA512
4df69f63e64613361edac6fe704acc0238c38d56b1e3553175d9342d0ded383e80e5960609fc3326fa0ce941cd86d09ad72d98541a2cd34993d33dde80f9b42a

Download Submit
C:\Program Files\EV3 Classroom\EV3 Classroom-win-1.5.3.4056.exe

Filesize
414.9MB

MD5
22c2e62ea2191e2ff4a2357cd5d192a7

SHA1
40e6673ecae415bfd14be694ae3fa3c4e07a8994

SHA256
9a861c01300638c30065455ef9359dcaca06516f6ed9a6aee9fab316618b4c0b

SHA512
25eb427144e589a31a198a22f3cbcef673a9b5023bd871da771a0b1a836957ae49b5a895f9e86a9130048fd179d8c6909125d33d4d2abb7e3f10b692779aa9db

Download Submit
C:\Program Files\EV3 Classroom\EV3 Classroom-win-1.5.3.4056.exe

Filesize
491.3MB

MD5
c10f230d0d569bc5f33f9f3b6b709063

SHA1
46be5bda8b95878a71ee8dbb994072c14a4ef460

SHA256
d960568756546d24be2c0e0a106b140aa4b119c700de3a68710e16edc7cad839

SHA512
f49890aca15d6c62434aaa71d5c59fb03b8fa169daf014f5108080fae989af682bc0a54620e487e7450ebd02e89ea7a7699eee9d24da86448b6892b40f18dac2

Download Submit
C:\Program Files\EV3 Classroom\EV3 Classroom-win-1.5.3.4056.exe

Filesize
491.3MB

MD5
c10f230d0d569bc5f33f9f3b6b709063

SHA1
46be5bda8b95878a71ee8dbb994072c14a4ef460

SHA256
d960568756546d24be2c0e0a106b140aa4b119c700de3a68710e16edc7cad839

SHA512
f49890aca15d6c62434aaa71d5c59fb03b8fa169daf014f5108080fae989af682bc0a54620e487e7450ebd02e89ea7a7699eee9d24da86448b6892b40f18dac2

Download Submit
C:\Program Files\EV3 Classroom\EV3 Classroom-win-1.5.3.4056.exe

Filesize
491.3MB

MD5
c10f230d0d569bc5f33f9f3b6b709063

SHA1
46be5bda8b95878a71ee8dbb994072c14a4ef460

SHA256
d960568756546d24be2c0e0a106b140aa4b119c700de3a68710e16edc7cad839

SHA512
f49890aca15d6c62434aaa71d5c59fb03b8fa169daf014f5108080fae989af682bc0a54620e487e7450ebd02e89ea7a7699eee9d24da86448b6892b40f18dac2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17

Filesize
2KB

MD5
9e3fb2073769cbacf0ebb6f7f4f29c58

SHA1
8ada8cb3a77faa5d337528bbd3102b38321940c7

SHA256
b96ef9a5bec16b42d864fc84f10d6aaa1ab86f1741122e9fe9ef81732eca09b3

SHA512
2ccf66f29cab4f7a3503dae33c62d9e78d89f1680f34882dc9e3f4a221d228fec8f6bee8a8b6b08073ca36fb5f704d5795745d9f46042ab835e8f3e005573f64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
1c8d079ba37a6fa45f42033bc5a9a3ca

SHA1
6a12a29f36962412f9c91a91b2a387e867bdcb70

SHA256
3938528fa67e476908fb1da224cd963391c16a58b22f9ab260073726db2f1a30

SHA512
74a629f2bd474e2efff0342be523515f9e225c358fc9f4fe11dc397f502abf793a0a573936eb354c2215e5bf3135f5b748aa033c349270447f14916283120adb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D7833C286363AD25C70511661A83D581_555476A565986D205C40412643ADA90D

Filesize
510B

MD5
b22fb39a9be9f34a8b0ede2704c33614

SHA1
4fc0db814d71f0e0d12e699afafe2de1ecde201e

SHA256
c9cd54b0ffa1f76bbe56689df83f0115aed217e69500f8282a34cccb443c0713

SHA512
915abee7f0751b55709d3d247551a5acc58fdf07f1aa615d1f85072fca6f2e79badda6f41da0c6e533f21f1a542a2857c0704759ab3be341d062e1f125fc8c38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17

Filesize
488B

MD5
73c3ae4cbc33fd77eac446cfa9c7f273

SHA1
07c74dcd4a621844537bd2685ea99957716e7eb4

SHA256
75f1a60e8f3fbf26cf9c395661165b28f7c49a698fdb26935873d820d3d4757d

SHA512
c501d596c4144b789fd86c7d88e0bed8ef82ea0a85671f7738393a02bd5c50b38dbf8620dc61849b8107058736a1c637fca53d41233939fc0e27f2bd6eb0db9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
fb12866de96c2a6b1006a303f423f9a9

SHA1
4b50d399f0c2f6d59f29c85c99e7a9b9f60307c9

SHA256
c1e09c0f7edc58250ac2669c1601fb3c00c6ec9e80bad69dceab87bfba6f3e1c

SHA512
273f9f9ef9871fe32cb6ce922912d2eb666b1d535c88809497ae6a25a2e978166ea28c00414ba7e8ba9f811c5e480683ba9f62a4a05382261e94114ab76fa71f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D7833C286363AD25C70511661A83D581_555476A565986D205C40412643ADA90D

Filesize
480B

MD5
37ecb76f49d419dbc5aedbec5d8391f8

SHA1
59563ce9feb708c7f57251e397b67e0f5e7dd5c5

SHA256
3c9c84b954cbbfc75c76c7639281a7986c71c25ac5842a1a91cff12b18e086b2

SHA512
0b0c90362d6cc4c4eab8f6d31855c512c0c59139725d00bc22efdebddc571537fc1aaa5b9dae347a8e3451473b7e89047bcb3e9e1f46a11a0b039024dcfd449b

Download Submit
C:\Users\Admin\AppData\Local\ASP.NET\DataProtection-Keys\fd67bed8-593b-425f-9c6f-f98a20f6ca02.tmp

Filesize
1KB

MD5
8d941dcb94ab95c7401112d6c1b70d76

SHA1
bc459b31940357bce7eca9a3f1a14421e8f418bf

SHA256
6ede33f2f7af73ecb9af120874bd3fc136a109802af8d2e19afe06ef9c3b846c

SHA512
52d5bea748d5ebb449813d5ef40a10e638c6e0aa55c8793121f61a0866792aadcd981125394aad7876ab28c57d9c017c9829c18da5c5b6fcc4387d0cd3e7adbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d1ebd08c334d00af8d74c56d31d3ba37

SHA1
30c00c59f17bb9b5417ef6ffd41c0f9caa722484

SHA256
ff96c70227f0d0662fc0cd590048eb56699f12e97f6cc74d126472c3a3d676ad

SHA512
95f57f9087d57d21994dbc4aa76fcf7e9854580938c54405a2b5d8762c493046c22070a016bdfa08a8744f4be7639acfbb778fa8e14b49a6c715a1813193d660

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
0700ac0822ba18f443bc6a5bdda6540e

SHA1
ea99c09c04512b69e359b580ca3a08f031713d71

SHA256
033092775ebf2680d71b9b35fcb51f39e9d72708f25c34abb71173b4dc06984a

SHA512
22ca41ff34ef90cacc2167da5d671a120403afa8da7436ff5eda3af0c98b2230564635dfa215011332a2783c2f87fb4a24d8617c7e7dd149f27419c9c5a86d50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
101436a95fba4070b18341d3ea98e8e1

SHA1
02c6b1457d799f8110180be6f2ed706e376e5670

SHA256
4b728ccf3a865c1a5ab9c13ee65b0fe5b562304162f1099b248048ac42529f46

SHA512
67c4408d28e086decea6963ddf758d6ca0caa32060159c02d94951cb34c3ad12d964d44170d251b6ce3007ebb6e5a2b71bc265143a0fdbeb2437f14569a76caa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
ffec1772bfa2cbeabdebc4e31a8fbe68

SHA1
11c83f47fde3c8b1c4aa603a39501247c8d0148c

SHA256
f63059596f3eca4a9ac9a881872623851244392703325ec163930e3f17b34001

SHA512
b72cb030615c19b030555ac55b384b1912b2cb501f62e87662c1bd55f86828d94b769f4f7d55d95c572deb3644208f4137d50e7bfebc3d5cfc4105bbe84644b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
334B

MD5
5f0995cf4fcce1a8f8ab691293095a4a

SHA1
68a7dcd43ec1b3af96b8c37f136cde0770dba100

SHA256
2be24e1970ab2f41bc55d70d46009ce47433d93baf7d11612d39a031c8c36f36

SHA512
5960c7ea0a819282f77f02b67282a5f4f330ff22e100b8924eadbf63442b19473359121e3326f24fa7e88a367df5b1d62c2685a48188a69b6c71d00c91d04877

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
632B

MD5
9a41776b269236d88db07106a29fd303

SHA1
c64d82fc9f115dd029561a7994ec6156352d794d

SHA256
a29f235213b0ad8eeb257ca46fe76b8ea45d2665ec1c328aa2fd2e00fc5f49e7

SHA512
8026051ad499270bbc89697d6e8a8f6c6c0dbe9d436f7c7016f79deb4e1db703b55e3bb7eb533423ed08a870eccacebe0ce1098f7e641fef3d758f92bbcb8146

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
632B

MD5
74437b2fefc478554274f6e80c435b38

SHA1
0b95d0699d6e19f6f2b98c1348475103d210d88d

SHA256
cb05c3e56f852329f0d9f9c1932a052f44c7de12344b4c2931d1a942bd29b1df

SHA512
abe3eb8219a3d388599b17cdb18e3eb55f61e90b38aa67a0b062bb8fbe810db5d82758fcc4a69b17fdf0f5fe23914b8259a3002226cc2a05367932a8b4cea313

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
baf351b692445b2d68f84a7162b957ff

SHA1
22e81c0e4fe0615506c9a22d41b5c87b5abc5d4b

SHA256
63e40a7a4d2741d76e6b9293f70d6ee22608ef7db5011106b2321c94f8010c86

SHA512
542883fd208888b0f640b09adb285240d004e354f2f42bc06d539e2d801c8ebe208341374b2c62c69f2a1e6216ad6ee31d876f92d3231b677b9212497e2e4ef0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
baf351b692445b2d68f84a7162b957ff

SHA1
22e81c0e4fe0615506c9a22d41b5c87b5abc5d4b

SHA256
63e40a7a4d2741d76e6b9293f70d6ee22608ef7db5011106b2321c94f8010c86

SHA512
542883fd208888b0f640b09adb285240d004e354f2f42bc06d539e2d801c8ebe208341374b2c62c69f2a1e6216ad6ee31d876f92d3231b677b9212497e2e4ef0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0fad6132e0f0252abbfb716090c6cfb1

SHA1
222f951c15e1e43da1c9107af4a4e49d031831e5

SHA256
2a22442dd110ee94aaac47cc4bbcfc172eee511d42409c8e7367b1df4521e9dd

SHA512
267f788021242cc635b0d2b55620fd277769111c730a52a76c6f1d12678fb2db87dae77fbf87ad3428faae642002c82a1540afcc3d32e9ec9b106b64136d6639

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d758c6226215a0ca7caa11dfd804ac3d

SHA1
7a1d8a718ba20980cf0ea1b131be12334f430bb0

SHA256
1d1043d46931e1bba32b39ba6585f75cb24a4d0cdf21edfd1ad3fcf2e21ebcb1

SHA512
ff89498186601603298c978f8a2218526088a684fe4de40318f93c339a0b16ca93fff168f8ae580d77c6e8341d45905cb99f3eda8b0c50ee5b64bba2b1e74577

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a0aca9ddf139807de675998b09b1c046

SHA1
6c3593fd1f0cf41456f8e928ddaa4293d36f7ef8

SHA256
e428002c6a34bbf2085190ca98f2afc4cd56d8a2be9588783ae50ea84e36bff6

SHA512
03556f7092c4294c3197f5e31b7a60bfa483df7674ca9e3c1121ab8503bfd397c54ab4488b261d57e24de571aa4ce2e6739d7f99502c7dd503ec6cbb1fadaf70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c3eb1d45a2c3e97fba9f8b4f426caf79

SHA1
e2537c9daf4590fd46a68530b58ed1d33fea1dec

SHA256
cada52e2ce8054d2501e6367a143f8b816724efd60381f16a6476579a953b8d0

SHA512
ec239f5debf0212388e564ff75d16c2b025329ecf2820e78b3b17fa6f375abc94e22eed63db9a1706b0eed6807bb4903553d9fcc0419f8d244af25ccfcdc049a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4d1d10f4cae6dc1ec7b1e445c5de27fb

SHA1
7b765337e22b379cd55495a197f8bae6140a9caf

SHA256
2fcc3f220528a6b54fef66230181332a3507933a953bcd775f6e8dfd2dc8f20f

SHA512
96a03581c63d3d242c8da33489c7d93397c6acbff05394ddd79c98355b3230c16c6c27760cb088f573589a7c7835fb1040dc67688e214b8c122fb0899e32368d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bd391533becd8eaa0501941dc9faa472

SHA1
ca899f83cf0f92859cec88fcaf0d399fd549961e

SHA256
211cf666bc6bd8958c7d49fd54088e2b74d7e10c3883cc6a1a777cf24591de70

SHA512
c6e0f08704204d08e561697b1742783222fa90c9ca66de96404cbced4765da54c6a08f2fbeeb667084cfca402b21565b2eb9d93edde094755e4346d92d5554a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
606ebdb5146e3d08c3840c84544b1d06

SHA1
f26aa5eff5391cb63bbfc753127441b056b432eb

SHA256
0d324aec2507e3f1e53964be23e9effe3b4839b31b3f203af5b386b255675d09

SHA512
08ba4df90caad2d2cd560f61431cc79f4a90f31cfe1c8fd5f0fa63dd56f948b7486c3c818464ed3e9769b623bf39be5a75af5593d8cd1fa4db59db5b8da82fe7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e05436aebb117e9919978ca32bbcefd9

SHA1
97b2af055317952ce42308ea69b82301320eb962

SHA256
cc9bd0953e70356e31a957ad9a9b1926f5e2a9f6a297cdef303ac693a2a86b7f

SHA512
11328e9514ffaa3c1eab84fae06595d75c8503bd5601adfd806182d46065752885a871b738439b356d1bb2c1ac71fc81e9d46bd2d0daa1b2ba0f40543bf952b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
29d3f199010d5421d1e3458fb3efedd4

SHA1
b4f6b0fe53d557da108e3f262f230361a1923963

SHA256
b4aad384e59099cd542f65e324cbb5281b145e5fd571d13aaa39837c52c300c5

SHA512
5d212629827a5958848f8a03894de12b6e876709e8c5e89f6d926144bb3e97adfa5346a26b39ad8483d1890812b017f4600d0e788a956c8008ecf5f5bc832efd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
76712a9e67940b0254edbff3835cafbe

SHA1
26c4a3d5abe3826e0c20356b9eed0d77af0b2fed

SHA256
a27dc42ce37f64260a1bae4fab6bce8d435d509d619856e9556e2087238c13ce

SHA512
4869542091f360a03fdb68a530864ae0598d6f24fc0ce19c17caa35baf149451d80d64553460b9366181a47471ed6e5837142c944fcbcc1984db57f87976ca69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
ca79caa6df275aaa6ff13edb39a13371

SHA1
2627336574b4acef889dcef5758bb0ab540e5b02

SHA256
7b859cc27b0c26c882bfe93dc7de74adeb6772cbc4ada8ad77a078fc95c284c0

SHA512
43902757ffb551aa3cd299541f7c6919118555e70a2a9de808da2df2c1a37696f7b7e969bd25f5a048d912ae5a705f0c15dd03ba99bdc2356418d13a1a4e24c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe630cf6.TMP

Filesize
538B

MD5
d96cc75d584029a26438a71b69ac3ed8

SHA1
b3d361237a4d7c70584d5bc98c04858281b8ba12

SHA256
865955330e08e0f1e7e984b874d39e2c5e49ed2ec3ebe3c63fd614c4b859f3db

SHA512
88c842caf829c09b08e7308e3702d778db50621b2b1a18c35f527dc2f2f9da10078e9666a2b5d8d496abc4dfa012f362fc9157fb4f44175034a0228b40a9e79f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
48f7b7f23af50f68b0960f09174afe6d

SHA1
523f5ba33301aec020ec142362c5112115a7ee03

SHA256
4f56f6e1a51201a852fc385ea15e5f6368e29bd0b8c04b5557b7ea36a29a4545

SHA512
dd42e0d46e938fc01f556ea4f79b03fbf58f9d54d18660283d291ac7ba972afc19f1d1f76516c7df1b0ef16986ca4a4e4ec9f5776c4402caf57e1eefc74f81e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5d33adf2bea0686d860d2448766ed01b

SHA1
0aed0c04088442ea13df8c0cbee351bbc080ff8b

SHA256
14d51d42713626d6d87b6af2aca6947e4f36a4a34200c63f277a45f0d1e112b0

SHA512
ee586b7383025aecf9531525a36ac7ac5f3fd6c59757db56d6e9d8daa1ebeed52980122c0405232d7f70656759a99be8b8f0bebe5ba1e08c128e914ff6b82e14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
927f8767c5905befd56af9a35775846a

SHA1
fe4e4692cfaa415b4764fe7280541f67a0aa9b8d

SHA256
a7b1e8a9b8bde3c5c38afbc10db6e543d485dd0289f704aa8ecc214defd30186

SHA512
e2c9b8bdc80e1d87526108552dc8eeb80b6ac7023daa42cd05a0d754b7c1a63b8e7dd5e85b4dede1d7768cdd9124cc0d81a4e4e8403b55916e2f60f84fa1ef8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
48f7b7f23af50f68b0960f09174afe6d

SHA1
523f5ba33301aec020ec142362c5112115a7ee03

SHA256
4f56f6e1a51201a852fc385ea15e5f6368e29bd0b8c04b5557b7ea36a29a4545

SHA512
dd42e0d46e938fc01f556ea4f79b03fbf58f9d54d18660283d291ac7ba972afc19f1d1f76516c7df1b0ef16986ca4a4e4ec9f5776c4402caf57e1eefc74f81e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3958dc438358564ab2280c41e969803b

SHA1
468e94a45d8348a9bf34e1866c170ece5d9ab797

SHA256
ab27de10483b7f7ce11b9021e68deaa8031acc4af892e697adfb997a36f84184

SHA512
2bc1274fe407adfaeb11d2ba8df18715fe396c41118904f8fa661e75febb091c3a2771e59fdf6bf55aac3dda911b647c8eeb8a57b701f72468bbe19b6f20366a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d0dd504b50efb3ca29832d71a9ebf1c4

SHA1
61dbe34d8e054c5ae2e59f007f85af529909448b

SHA256
7ee4ea8b8d60195d601ee72bafbb22d093182c68221d57d3a7c1c07ddbb0c620

SHA512
50230b7d02df923068729fb06609d876c70f22434c8e7c5d429536a7dac9d2440a5d6faff68a6790eef367f6a6d6a39c165947377ea9abc641451f7faf729a96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d7939dd365433d11f2734b2d22a2ea0b

SHA1
3e5ca1645dcd705793fa87db58e433f075e11cbc

SHA256
98d94c9aaa0317214f821eb4477ec96a35839dd35eb034206a694f5e2d4822c0

SHA512
fdb2d53f87f10005c64e9c741c26318f933425453662fdfc0650615c68cc5d5f1affe70f646491f79490632ac4615bcbda7cce68cbcb10ed4807ba503579388b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\EV3 Classroom-win-1.5.3.4056\a0dz4rcb.bek\CefSharp.Core.dll

Filesize
1.9MB

MD5
f8b1cf76364fa42d6c21a990eac8daf3

SHA1
d38d5687b46a669cb4cc4b1ef52f37c82d1529d0

SHA256
1ad29c3b8dc162c5493c9e45166ca8e3ed2e0a83a2577f7ffb1c4dca4f350e71

SHA512
de4edcc795404070263d840c7f65e74fec5197ab90e3001e805d3dbaaf3f1369d48627683461d00868656dfc1dbf20095bea54fd25c27a91cb0b72e22225920f

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\EV3 Classroom-win-1.5.3.4056\a0dz4rcb.bek\LEGO® MINDSTORMS® Education EV3 Classroom.deps.json

Filesize
222KB

MD5
eab2f90959466df278bd810618581ce8

SHA1
a22adf66726a4dda628117b05079c66dd7df8931

SHA256
092dd0b9344af433f78bb61061d55a4d656c36da7047c1c1c9ac21a2d0540f26

SHA512
fdae1c662465fe3f4ef465615a1ceb1e99bdc5a1e05e23c743b2f83966c4c202b7e0d51862b05a63aa0af2ca7b82db5791c49edf0aeec547254b518e720e8d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\EV3 Classroom-win-1.5.3.4056\a0dz4rcb.bek\LEGO® MINDSTORMS® Education EV3 Classroom.runtimeconfig.json

Filesize
283B

MD5
380c2f0148e3f078a1f3fc80129423f4

SHA1
5425022437e6acae92450de3f9a2aa99551aa7aa

SHA256
40f04b132749f05981b61815cb7b999124b5637487f5165ea36d278601c9f855

SHA512
ec9337fc158e61bdbb26e382438bb79552963bd627209af696f8fc66da2ca9ab77f2ab4219ea41f0dfe382a7d60090af63fcd9f0d00f49666d19d087fb94fe4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\EV3 Classroom-win-1.5.3.4056\a0dz4rcb.bek\System.Private.CoreLib.dll

Filesize
9.1MB

MD5
8da14314407aacbbf95677398c0c35e7

SHA1
7e8c1fd0111dd6f6a9221f3eacb382a640283542

SHA256
a83d2a768912d030fe1e195f62fa81fc94410879e59355fb0626ee6a1f151a06

SHA512
c9d8490681755a645b8d09506ade13897f799b9e10cf0c3746b0f9d47e7258955c2622abc992c4ed48bb49ed60196b036b661ba3c72a7df25d11eeae823a8a53

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\EV3 Classroom-win-1.5.3.4056\a0dz4rcb.bek\System.Private.CoreLib.dll

Filesize
9.1MB

MD5
8da14314407aacbbf95677398c0c35e7

SHA1
7e8c1fd0111dd6f6a9221f3eacb382a640283542

SHA256
a83d2a768912d030fe1e195f62fa81fc94410879e59355fb0626ee6a1f151a06

SHA512
c9d8490681755a645b8d09506ade13897f799b9e10cf0c3746b0f9d47e7258955c2622abc992c4ed48bb49ed60196b036b661ba3c72a7df25d11eeae823a8a53

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\EV3 Classroom-win-1.5.3.4056\a0dz4rcb.bek\System.Private.CoreLib.dll

Filesize
9.1MB

MD5
8da14314407aacbbf95677398c0c35e7

SHA1
7e8c1fd0111dd6f6a9221f3eacb382a640283542

SHA256
a83d2a768912d030fe1e195f62fa81fc94410879e59355fb0626ee6a1f151a06

SHA512
c9d8490681755a645b8d09506ade13897f799b9e10cf0c3746b0f9d47e7258955c2622abc992c4ed48bb49ed60196b036b661ba3c72a7df25d11eeae823a8a53

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\EV3 Classroom-win-1.5.3.4056\a0dz4rcb.bek\coreclr.dll

Filesize
5.3MB

MD5
f189f8b85961d5973f2e359b70f0564b

SHA1
4dc1fc29e2db0694660068e2b4e9675806606ee1

SHA256
ec7c8bc62012b7efc50b810b8cd4f498ce61788a6c662e1b2c94214cfe4f1c9a

SHA512
c1d53d5019558a3ea8ec3c75675bec60fa817515aea4643d0a6786fd9b81446983ea35e02fac6d449c77fedea996369dfd08d0751ebfe5ae0e938f8fc8dc9689

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\EV3 Classroom-win-1.5.3.4056\a0dz4rcb.bek\coreclr.dll

Filesize
5.3MB

MD5
f189f8b85961d5973f2e359b70f0564b

SHA1
4dc1fc29e2db0694660068e2b4e9675806606ee1

SHA256
ec7c8bc62012b7efc50b810b8cd4f498ce61788a6c662e1b2c94214cfe4f1c9a

SHA512
c1d53d5019558a3ea8ec3c75675bec60fa817515aea4643d0a6786fd9b81446983ea35e02fac6d449c77fedea996369dfd08d0751ebfe5ae0e938f8fc8dc9689

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\EV3 Classroom-win-1.5.3.4056\a0dz4rcb.bek\coreclr.dll

Filesize
5.3MB

MD5
f189f8b85961d5973f2e359b70f0564b

SHA1
4dc1fc29e2db0694660068e2b4e9675806606ee1

SHA256
ec7c8bc62012b7efc50b810b8cd4f498ce61788a6c662e1b2c94214cfe4f1c9a

SHA512
c1d53d5019558a3ea8ec3c75675bec60fa817515aea4643d0a6786fd9b81446983ea35e02fac6d449c77fedea996369dfd08d0751ebfe5ae0e938f8fc8dc9689

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\EV3 Classroom-win-1.5.3.4056\a0dz4rcb.bek\hostfxr.dll

Filesize
585KB

MD5
91d9f560f1f7eebbaabbc18ee36ed811

SHA1
3f8bb6df836aeb623a12b7e846484b10b7df9a8e

SHA256
886d58c4714122e8ac352eae724f6a7f608b6a987955ef04c16a836a46e0fbb0

SHA512
2a0c918cd4ac07ddfd2e5084835ad9f6fd5f3584b55a2b1f4359097ee07a9381b4f455b68f4750274ef5b2e7a3593b01aef42dac42043475b1ac456ea338d780

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\EV3 Classroom-win-1.5.3.4056\a0dz4rcb.bek\hostfxr.dll

Filesize
585KB

MD5
91d9f560f1f7eebbaabbc18ee36ed811

SHA1
3f8bb6df836aeb623a12b7e846484b10b7df9a8e

SHA256
886d58c4714122e8ac352eae724f6a7f608b6a987955ef04c16a836a46e0fbb0

SHA512
2a0c918cd4ac07ddfd2e5084835ad9f6fd5f3584b55a2b1f4359097ee07a9381b4f455b68f4750274ef5b2e7a3593b01aef42dac42043475b1ac456ea338d780

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\EV3 Classroom-win-1.5.3.4056\a0dz4rcb.bek\hostfxr.dll

Filesize
585KB

MD5
91d9f560f1f7eebbaabbc18ee36ed811

SHA1
3f8bb6df836aeb623a12b7e846484b10b7df9a8e

SHA256
886d58c4714122e8ac352eae724f6a7f608b6a987955ef04c16a836a46e0fbb0

SHA512
2a0c918cd4ac07ddfd2e5084835ad9f6fd5f3584b55a2b1f4359097ee07a9381b4f455b68f4750274ef5b2e7a3593b01aef42dac42043475b1ac456ea338d780

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\EV3 Classroom-win-1.5.3.4056\a0dz4rcb.bek\hostpolicy.dll

Filesize
576KB

MD5
f8a3eea5de5780cf9d8f29bf387ef768

SHA1
531389bd51488eebd58fc4371184817d8b6551a0

SHA256
b786f28906e2099e1be80e0ca945e78d298674669d629e33d6cdd2299db47f2f

SHA512
403c1a7452a9a0a65961990170e1fae8c598c9d49e0802fb480ae47f04f6959ec870a336027bb04117168bde3b6090bdb7e61632da325bf25b289193efc7dbd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\EV3 Classroom-win-1.5.3.4056\a0dz4rcb.bek\hostpolicy.dll

Filesize
576KB

MD5
f8a3eea5de5780cf9d8f29bf387ef768

SHA1
531389bd51488eebd58fc4371184817d8b6551a0

SHA256
b786f28906e2099e1be80e0ca945e78d298674669d629e33d6cdd2299db47f2f

SHA512
403c1a7452a9a0a65961990170e1fae8c598c9d49e0802fb480ae47f04f6959ec870a336027bb04117168bde3b6090bdb7e61632da325bf25b289193efc7dbd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\EV3 Classroom-win-1.5.3.4056\a0dz4rcb.bek\hostpolicy.dll

Filesize
576KB

MD5
f8a3eea5de5780cf9d8f29bf387ef768

SHA1
531389bd51488eebd58fc4371184817d8b6551a0

SHA256
b786f28906e2099e1be80e0ca945e78d298674669d629e33d6cdd2299db47f2f

SHA512
403c1a7452a9a0a65961990170e1fae8c598c9d49e0802fb480ae47f04f6959ec870a336027bb04117168bde3b6090bdb7e61632da325bf25b289193efc7dbd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI391D.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI391D.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Users\Admin\AppData\Roaming\MINDSTORMS_EDU\CefSharp\Cache\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\MINDSTORMS_EDU\CefSharp\Cache\Cache\f_000011

Filesize
767KB

MD5
367360ca955c0c021c30fd6e8b1d14a6

SHA1
ec1c63bedcf00fe474757fa98006931a257d5000

SHA256
8ec42e5b7847cc1eea5e60f27172c10b9b361b86edfd8866676e156b0d449b67

SHA512
ec887f2ada6803409db640b6bc353b1eaed7504c509294f1be88ee1dcef8f9fd577e9fbeaffdf9297dc0f34bf66a487a084b844b88994091959ecea008450045

Download Submit
C:\Users\Admin\AppData\Roaming\MINDSTORMS_EDU\CefSharp\Cache\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
901f7700e0aaafd70ca981bd2bdbe2bb

SHA1
c4d9a3c18af19a021147b50efa6009561527bd83

SHA256
794eedc6bed83ee6baa8fabd00b2098e9b4614339431884cd4d1af0e245d6b15

SHA512
3ae38860bcf1dce8ba664266022a33e1f10c48b4e999877d14d8cb57a0df3996c4a5b3fec0dd1396ef9126aa2326855fb3f4023da080638a63644d26948b9f0d

Download Submit
C:\Users\Admin\AppData\Roaming\MINDSTORMS_EDU\CefSharp\Cache\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
24f4b59b9fe413a972fe20019de4d8be

SHA1
b3c413b30fa281a9ee0003d866f4f32478c99069

SHA256
690d79f6202777dcc902c409aa36dda4f64cc4712630f9aa5dd6c7e7659461d9

SHA512
d847714cbe47bfe03ba071835998d05bd374b2cbd6b3bfcc32de198a9720ad59bdd58ca799cd59327a85616b2f1093d13c56351be00511e6a005db6e7d5412a2

Download Submit
C:\Users\Admin\AppData\Roaming\MINDSTORMS_EDU\CefSharp\Cache\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
4736b5108a31bc3d4c509674897c8eef

SHA1
d54a14c03567405606964b670e021e6e2b40ed45

SHA256
27a109474401e6eed79867dcbc8910fcb0110d9791393d507c4db2c26d4ffc1b

SHA512
8aab872e6e6f85b9ed8b9e7a0547f61eb4ed2dc3b18f40bb41ba5271d74c8e82af5bc517084072c54a2f6f04472809888db1671606be8c5efc2b5503f7b93d1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
8KB

MD5
69323e671afc603697d24f434c0a6dbd

SHA1
bc5ca271f8c681bf8748509601d7969f9d5f21ee

SHA256
6c08affa7da645d114021b10be5fe79a7e3ad986b6fe5a39995dde6eee0cdc9a

SHA512
9dcdba366745ef52e3d3192f717190c057c25fbbb7ceb938ea30d5707f702a857ce94e18bc9e7cc9b34871bf472332cea72b9015aebd79b6734eda87d1dbff95

Download Submit
C:\Users\Admin\Documents\LEGO Education EV3 Content\en-US\buildinginstructions\manifest.json

Filesize
3B

MD5
58e0494c51d30eb3494f7c9198986bb9

SHA1
cd0d4cc32346750408f7d4f5e78ec9a6e5b79a0d

SHA256
37517e5f3dc66819f61f5a7bb8ace1921282415f10551d2defa5c3eb0985b570

SHA512
b7a9336ed3a424b5d4d59d9b20d0bbc33217207b584db6b758fddb9a70b99e7c8c9f8387ef318a6b2039e62f09a3a2592bf5c76d6947a6ea1d107b924d7461f4

Download Submit
C:\Users\Admin\Downloads\EV3_Classroom_Windows_1.5.3_Global.msi

Filesize
249.9MB

MD5
d7bb4958b30df56c72041ff26d875f43

SHA1
70ed2ab3f18f157db6556f88e99f8575a2498379

SHA256
e9639181b5cf21ebbfa217cf9cd56cb87af6cf24a22898321b44dfe9f563e5ad

SHA512
96b61d9344472b375ee9f281d25ae02a7060e6ccec19e894e3e8d21d8fda09820ac3af3b7ac8b344684b3f23dc090449f08e6bd6a321335c95046b3c4d7a74ca

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 641858.crdownload

Filesize
249.9MB

MD5
d7bb4958b30df56c72041ff26d875f43

SHA1
70ed2ab3f18f157db6556f88e99f8575a2498379

SHA256
e9639181b5cf21ebbfa217cf9cd56cb87af6cf24a22898321b44dfe9f563e5ad

SHA512
96b61d9344472b375ee9f281d25ae02a7060e6ccec19e894e3e8d21d8fda09820ac3af3b7ac8b344684b3f23dc090449f08e6bd6a321335c95046b3c4d7a74ca

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
2dfb7b253c5c9260055f5c1b8f10257a

SHA1
9294c484e3750f66f4096d362b0301a3b24c247c

SHA256
ad87137160fe7908c8ea1704b6bcf06206a015c8da4f1c5c07f44701e9868638

SHA512
0b814a8db79452e9e7efe691d263f55f74a0223f024eda34fc1d152019f8aa7bd7910cb7f5429cc0d128b9edcb2d379020636a0bc9b267abb9f40ecfe1a8fecf

Download Submit
\??\Volume{8df29902-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{d8d9f207-8ed9-40b1-84da-93d9831bd8df}_OnDiskSnapshotProp

Filesize
5KB

MD5
ff35cfa0fcc80f35e598c19de5f08a63

SHA1
4c72b3edb55b904855dae9364b8a253e505b8b49

SHA256
8eb0373afb0041e170d3fa478809c3ab0d801c9de6fc54861c44b44b09d913e6

SHA512
3914530a21f0482a5c207aef6b7f9675141cc3446d03405fc21f48952bfc912edffa7d1437b4bf73908e627ad7b94d6faebac0cad6dd98790739bbb028c68a70

Download Submit
memory/560-1495-0x00007FFDF9610000-0x00007FFDF9B7F000-memory.dmp

Filesize
5.4MB

Download
memory/560-1865-0x000001BE70680000-0x000001BE70690000-memory.dmp

Filesize
64KB

Download
memory/560-1863-0x00007FFDF9610000-0x00007FFDF9B7F000-memory.dmp

Filesize
5.4MB

Download
memory/2940-1875-0x000001ABAEB00000-0x000001ABAEB10000-memory.dmp

Filesize
64KB

Download
memory/2940-1854-0x000001ABAEB00000-0x000001ABAEB10000-memory.dmp

Filesize
64KB

Download
memory/2940-1873-0x00007FFDF9610000-0x00007FFDF9B7F000-memory.dmp

Filesize
5.4MB

Download
memory/2940-1846-0x00007FFDF9610000-0x00007FFDF9B7F000-memory.dmp

Filesize
5.4MB

Download
memory/3100-1815-0x0000025E47810000-0x0000025E47820000-memory.dmp

Filesize
64KB

Download
memory/3100-1914-0x0000025E4C1E0000-0x0000025E4C29D000-memory.dmp

Filesize
756KB

Download
memory/3100-1862-0x0000025E4C1E0000-0x0000025E4C29D000-memory.dmp

Filesize
756KB

Download
memory/3100-1267-0x00007FFDF9610000-0x00007FFDF9B7F000-memory.dmp

Filesize
5.4MB

Download
memory/3100-1864-0x0000025E47810000-0x0000025E47820000-memory.dmp

Filesize
64KB

Download
memory/3100-1825-0x0000025E4C1E0000-0x0000025E4C29D000-memory.dmp

Filesize
756KB

Download
memory/3100-1868-0x0000025E4C1E0000-0x0000025E4C29D000-memory.dmp

Filesize
756KB

Download
memory/3100-1871-0x0000025E47810000-0x0000025E47820000-memory.dmp

Filesize
64KB

Download
memory/3100-1793-0x00007FFDF9610000-0x00007FFDF9B7F000-memory.dmp

Filesize
5.4MB

Download
memory/3100-1554-0x0000025E47810000-0x0000025E47820000-memory.dmp

Filesize
64KB

Download
memory/3100-1927-0x0000025E4C1E0000-0x0000025E4C29D000-memory.dmp

Filesize
756KB

Download
memory/3284-1882-0x00000181DC6A0000-0x00000181DC6B0000-memory.dmp

Filesize
64KB

Download
memory/3284-1894-0x00007FFDF9610000-0x00007FFDF9B7F000-memory.dmp

Filesize
5.4MB

Download
memory/3284-1909-0x00000181DC6A0000-0x00000181DC6B0000-memory.dmp

Filesize
64KB

Download
memory/3284-1881-0x00007FFDF9610000-0x00007FFDF9B7F000-memory.dmp

Filesize
5.4MB

Download
memory/3940-1362-0x000001DDF5BA0000-0x000001DDF5BB0000-memory.dmp

Filesize
64KB

Download
memory/3940-1312-0x00007FFDF9610000-0x00007FFDF9B7F000-memory.dmp

Filesize
5.4MB

Download
memory/3940-1855-0x000001DDF5BA0000-0x000001DDF5BB0000-memory.dmp

Filesize
64KB

Download
memory/3940-1840-0x00007FFDF9610000-0x00007FFDF9B7F000-memory.dmp

Filesize
5.4MB

Download
memory/4700-1320-0x00007FFDF9610000-0x00007FFDF9B7F000-memory.dmp

Filesize
5.4MB

Download
memory/4700-1266-0x00007FFDF9610000-0x00007FFDF9B7F000-memory.dmp

Filesize
5.4MB

Download