Analysis
-
max time kernel
860s -
max time network
756s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
03-05-2024 17:01
Static task
static1
Behavioral task
behavioral1
Sample
.html
Resource
win11-20240426-en
General
-
Target
.html
-
Size
147KB
-
MD5
834aba75ed6bf5843b755d3aa1053949
-
SHA1
db29ef39812d221ee4a23bbcb6f3eb72e15d1d4c
-
SHA256
26a441dc6354cd8ef7edfca469ee5ba526fd757b647661cc490736e66b9cf1ac
-
SHA512
17f992c01ac4671bfecbbee440c5e5352d8a17af31378fcebe5028ea1a82395bc7f8fe2b26b3c2d0a16d5fa3c419bb05a0c8a82f7b6fa87fd7fdbee0a6780895
-
SSDEEP
1536:oUkud8LonVJoqYarK4DsYNgRyypRMPuNPV5nPztP4FPfaParP8R4DJ2PWTllU0ru:fkPL6WVMllhAY9HhqiS
Malware Config
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (576) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepid process 5732 powershell.exe 5800 powershell.exe 4232 powershell.exe -
Downloads MZ/PE file
-
Deletes itself 1 IoCs
Processes:
CoronaVirus.exepid process 696 CoronaVirus.exe -
Drops startup file 8 IoCs
Processes:
CoronaVirus.exexoro-service-fns.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-3CBD6726.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xoro-service-fns.exe.id-3CBD6726.[[email protected]].ncov CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xoro-service-fns.exe xoro-service-fns.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xoro-service-fns.exe xoro-service-fns.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-3CBD6726.[[email protected]].ncov CoronaVirus.exe -
Executes dropped EXE 2 IoCs
Processes:
xoro-service-fns.exexoro-service-fns.exepid process 2876 xoro-service-fns.exe 5220 xoro-service-fns.exe -
Loads dropped DLL 59 IoCs
Processes:
xoro-service-fns.exeSaturn.exeSaturn.exepid process 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 7348 Saturn.exe 7348 Saturn.exe 7348 Saturn.exe 7348 Saturn.exe 5292 Saturn.exe 5292 Saturn.exe 5292 Saturn.exe 5292 Saturn.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MEI28762\python311.dll upx behavioral1/memory/5220-3174-0x00007FFF43CE0000-0x00007FFF442C8000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI28762\_ctypes.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI28762\libffi-8.dll upx behavioral1/memory/5220-3185-0x00007FFF5B5A0000-0x00007FFF5B5AF000-memory.dmp upx behavioral1/memory/5220-3184-0x00007FFF48500000-0x00007FFF48524000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI28762\_bz2.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI28762\_lzma.pyd upx behavioral1/memory/5220-3190-0x00007FFF45AB0000-0x00007FFF45ADD000-memory.dmp upx behavioral1/memory/5220-3189-0x00007FFF4CEA0000-0x00007FFF4CEB9000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI28762\_hashlib.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI28762\_decimal.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI28762\_cffi_backend.cp311-win_amd64.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI28762\_asyncio.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI28762\unicodedata.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI28762\sqlite3.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI28762\select.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI28762\pyexpat.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI28762\libssl-1_1.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI28762\libcrypto-1_1.dll upx behavioral1/memory/5220-3202-0x00007FFF451B0000-0x00007FFF451E5000-memory.dmp upx behavioral1/memory/5220-3204-0x00007FFF5B4F0000-0x00007FFF5B4FD000-memory.dmp upx behavioral1/memory/5220-3203-0x00007FFF45190000-0x00007FFF451A9000-memory.dmp upx behavioral1/memory/5220-3205-0x00007FFF58990000-0x00007FFF5899D000-memory.dmp upx behavioral1/memory/5220-3207-0x00007FFF43C20000-0x00007FFF43CDC000-memory.dmp upx behavioral1/memory/5220-3206-0x00007FFF45160000-0x00007FFF4518E000-memory.dmp upx behavioral1/memory/5220-3208-0x00007FFF45130000-0x00007FFF4515B000-memory.dmp upx behavioral1/memory/5220-3214-0x00007FFF43B60000-0x00007FFF43C18000-memory.dmp upx behavioral1/memory/5220-3212-0x00007FFF437E0000-0x00007FFF43B55000-memory.dmp upx behavioral1/memory/5220-3211-0x00007FFF45100000-0x00007FFF4512E000-memory.dmp upx behavioral1/memory/5220-3296-0x00007FFF48500000-0x00007FFF48524000-memory.dmp upx behavioral1/memory/5220-3295-0x00007FFF435F0000-0x00007FFF43763000-memory.dmp upx behavioral1/memory/5220-3294-0x00007FFF43770000-0x00007FFF43793000-memory.dmp upx behavioral1/memory/5220-3293-0x00007FFF437A0000-0x00007FFF437B2000-memory.dmp upx behavioral1/memory/5220-3292-0x00007FFF437C0000-0x00007FFF437D5000-memory.dmp upx behavioral1/memory/5220-3291-0x00007FFF43CE0000-0x00007FFF442C8000-memory.dmp upx behavioral1/memory/5220-3298-0x00007FFF43560000-0x00007FFF43574000-memory.dmp upx behavioral1/memory/5220-3297-0x00007FFF435D0000-0x00007FFF435E8000-memory.dmp upx behavioral1/memory/5220-3306-0x00007FFF43530000-0x00007FFF43556000-memory.dmp upx behavioral1/memory/5220-3307-0x00007FFF43410000-0x00007FFF4352C000-memory.dmp upx behavioral1/memory/5220-3305-0x00007FFF58620000-0x00007FFF5862B000-memory.dmp upx behavioral1/memory/5220-3346-0x00007FFF45190000-0x00007FFF451A9000-memory.dmp upx behavioral1/memory/5220-3351-0x00007FFF484F0000-0x00007FFF484FC000-memory.dmp upx behavioral1/memory/5220-3350-0x00007FFF4BFA0000-0x00007FFF4BFAB000-memory.dmp upx behavioral1/memory/5220-3349-0x00007FFF4CD20000-0x00007FFF4CD2C000-memory.dmp upx behavioral1/memory/5220-3348-0x00007FFF51240000-0x00007FFF5124B000-memory.dmp upx behavioral1/memory/5220-3347-0x00007FFF433D0000-0x00007FFF43408000-memory.dmp upx behavioral1/memory/5220-3357-0x00007FFF43C20000-0x00007FFF43CDC000-memory.dmp upx behavioral1/memory/5220-3359-0x00007FFF433A0000-0x00007FFF433AC000-memory.dmp upx behavioral1/memory/5220-3358-0x00007FFF433B0000-0x00007FFF433BC000-memory.dmp upx behavioral1/memory/5220-3356-0x00007FFF45AA0000-0x00007FFF45AAB000-memory.dmp upx behavioral1/memory/5220-3355-0x00007FFF433C0000-0x00007FFF433CE000-memory.dmp upx behavioral1/memory/5220-3354-0x00007FFF450F0000-0x00007FFF450FC000-memory.dmp upx behavioral1/memory/5220-3353-0x00007FFF45610000-0x00007FFF4561C000-memory.dmp upx behavioral1/memory/5220-3352-0x00007FFF57CD0000-0x00007FFF57CDB000-memory.dmp upx behavioral1/memory/5220-3371-0x00007FFF43090000-0x00007FFF43313000-memory.dmp upx behavioral1/memory/5220-3370-0x00007FFF43320000-0x00007FFF4332C000-memory.dmp upx behavioral1/memory/5220-3373-0x00007FFF43050000-0x00007FFF43079000-memory.dmp upx behavioral1/memory/5220-3372-0x00007FFF43080000-0x00007FFF4308A000-memory.dmp upx behavioral1/memory/5220-3369-0x00007FFF43B60000-0x00007FFF43C18000-memory.dmp upx behavioral1/memory/5220-3368-0x00007FFF43370000-0x00007FFF4337C000-memory.dmp upx behavioral1/memory/5220-3367-0x00007FFF43380000-0x00007FFF4338B000-memory.dmp upx behavioral1/memory/5220-3366-0x00007FFF43390000-0x00007FFF4339B000-memory.dmp upx behavioral1/memory/5220-3365-0x00007FFF45100000-0x00007FFF4512E000-memory.dmp upx -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
CoronaVirus.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" CoronaVirus.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
CoronaVirus.exedescription ioc process File opened for modification C:\Users\Admin\Music\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Searches\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Videos\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Libraries\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Videos\desktop.ini CoronaVirus.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-1696768468-2170909707-4198977321-1000\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Downloads\desktop.ini CoronaVirus.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1696768468-2170909707-4198977321-1000\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Music\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Documents\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini CoronaVirus.exe File opened for modification C:\Program Files (x86)\desktop.ini CoronaVirus.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ChilledWindows.exedescription ioc process File opened (read-only) \??\B: ChilledWindows.exe File opened (read-only) \??\H: ChilledWindows.exe File opened (read-only) \??\I: ChilledWindows.exe File opened (read-only) \??\M: ChilledWindows.exe File opened (read-only) \??\U: ChilledWindows.exe File opened (read-only) \??\Y: ChilledWindows.exe File opened (read-only) \??\A: ChilledWindows.exe File opened (read-only) \??\E: ChilledWindows.exe File opened (read-only) \??\G: ChilledWindows.exe File opened (read-only) \??\J: ChilledWindows.exe File opened (read-only) \??\K: ChilledWindows.exe File opened (read-only) \??\L: ChilledWindows.exe File opened (read-only) \??\N: ChilledWindows.exe File opened (read-only) \??\S: ChilledWindows.exe File opened (read-only) \??\X: ChilledWindows.exe File opened (read-only) \??\Z: ChilledWindows.exe File opened (read-only) \??\R: ChilledWindows.exe File opened (read-only) \??\T: ChilledWindows.exe File opened (read-only) \??\O: ChilledWindows.exe File opened (read-only) \??\P: ChilledWindows.exe File opened (read-only) \??\Q: ChilledWindows.exe File opened (read-only) \??\V: ChilledWindows.exe File opened (read-only) \??\W: ChilledWindows.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
Processes:
flow ioc 675 discord.com 1081 raw.githubusercontent.com 1097 raw.githubusercontent.com 1106 raw.githubusercontent.com 1 raw.githubusercontent.com 6 raw.githubusercontent.com 118 raw.githubusercontent.com 123 raw.githubusercontent.com 674 discord.com 1011 raw.githubusercontent.com 1090 raw.githubusercontent.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 20 api.ipify.org 122 api.ipify.org -
Drops file in System32 directory 2 IoCs
Processes:
CoronaVirus.exedescription ioc process File created C:\Windows\System32\CoronaVirus.exe CoronaVirus.exe File created C:\Windows\System32\Info.hta CoronaVirus.exe -
Drops file in Program Files directory 64 IoCs
Processes:
CoronaVirus.exedescription ioc process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\en-ae\ui-strings.js.id-3CBD6726.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Locales\tt.pak.id-3CBD6726.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-pl.xrm-ms.id-3CBD6726.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-ul-oob.xrm-ms.id-3CBD6726.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\vlc.mo CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Core.dll.id-3CBD6726.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-fr\ui-strings.js.id-3CBD6726.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_neutral_split.scale-200_8wekyb3d8bbwe\Win10\contrast-black\MicrosoftSolitaireLargeTile.scale-200_contrast-black.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\SplashScreen.scale-100_contrast-white.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\ui-strings.js CoronaVirus.exe File created C:\Program Files\JoinResume.3gp2.id-3CBD6726.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ADAL.DLL.id-3CBD6726.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.SecureString.dll.id-3CBD6726.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\.version.id-3CBD6726.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\ResiliencyLinks\Locales\sk.pak.DATA.id-3CBD6726.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\TXP_DiningReservation_Light.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\MapsSplashScreen.scale-100_altform-colorful.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\components\DocumentCard\DocumentCardActivity.styles.js CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\css\main-selector.css.id-3CBD6726.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Dark.pdf.id-3CBD6726.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe.sig CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\NewsWideTile.scale-125_contrast-black.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-16_altform-unplated.png CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Controls.Ribbon.resources.dll CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-30_altform-unplated_contrast-white.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-ae\ui-strings.js.id-3CBD6726.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-cn\ui-strings.js.id-3CBD6726.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sv-se\ui-strings.js.id-3CBD6726.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\wdag.dll CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-100.png.id-3CBD6726.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fr-fr\PlayStore_icon.svg.id-3CBD6726.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x CoronaVirus.exe File opened for modification C:\Program Files\Windows Media Player\Media Renderer\connectionmanager_dmr.xml CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\DetailsList.js CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ul-oob.xrm-ms.id-3CBD6726.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Forms.resources.dll.id-3CBD6726.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\HoloAssets\HoloLens_SurfaceReconstruction.png CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ppd.xrm-ms.id-3CBD6726.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\tr-tr\ui-strings.js.id-3CBD6726.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\msolui.dll CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MyriadPro-It.otf.id-3CBD6726.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Numerics.dll.id-3CBD6726.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\AppxManifest.xml CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\cs-cz\ui-strings.js.id-3CBD6726.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.DataAnnotations.dll CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\AugLoop\third-party-notices.txt.id-3CBD6726.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Configuration.dll.id-3CBD6726.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Riblet.eftx.id-3CBD6726.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\URLREDIR.DLL.id-3CBD6726.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsMedTile.scale-125_contrast-white.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\merge-styles\lib\mergeStyles.js CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-pl.xrm-ms CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\FPERSON.DLL.id-3CBD6726.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Threading.AccessControl.dll CoronaVirus.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuy2_i422_plugin.dll.id-3CBD6726.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\AppxManifest.xml CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square150x150Logo.scale-150_contrast-white.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\FeedbackHubAppList.targetsize-32_altform-unplated.png CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg.id-3CBD6726.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\NewsAppList.targetsize-30_contrast-black.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\contrast-black\PowerAutomateAppIcon.altform-lightunplated_targetsize-48.png CoronaVirus.exe -
Drops file in Windows directory 4 IoCs
Processes:
UserOOBEBroker.exedescription ioc process File opened for modification C:\Windows\Panther\UnattendGC\setupact.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml UserOOBEBroker.exe -
Detects Pyinstaller 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\Downloads\Unconfirmed 833379.crdownload pyinstaller -
Enumerates system info in registry 2 TTPs 12 IoCs
Processes:
msedgewebview2.exemsedgewebview2.exemsedge.exemsedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedgewebview2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedgewebview2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedgewebview2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedgewebview2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedgewebview2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedgewebview2.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 6080 vssadmin.exe 30440 vssadmin.exe -
Modifies registry class 64 IoCs
Processes:
OpenWith.exeOpenWith.exeOpenWith.exemsedge.exeChilledWindows.exeOpenWith.exeOpenWith.exeOpenWith.exemsedge.exemsedge.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 = 50003100000000009a580d7c1000372d5a6970003c0009000400efbe9a580d7c9a580d7c2e0000003f9f020000001c000000000000000000000000000000d9bacb0037002d005a0069007000000014000000 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1696768468-2170909707-4198977321-1000\{4E20B0CF-50B9-4F53-9E37-E339A5159F54} msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\21\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\21\ComDlg OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\21\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\SniffedFolderType = "Generic" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Applications\7z.exe\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7z.exe\" \"%1\"" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\21\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" OpenWith.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1696768468-2170909707-4198977321-1000\{74B412FC-8C33-4625-B0D5-2846B0150822} ChilledWindows.exe Set value (data) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 01000000020000000300000000000000ffffffff OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\21\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\21\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\21\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = 00000000ffffffff OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Applications\7z.exe\shell OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 8c003100000000009a58a080110050524f4752417e310000740009000400efbec55259619a58a0802e0000003f0000000000010000000000000000004a0000000000fc223900500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\21\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Applications\7z.exe\shell\open\command OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\21\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\21\Shell\SniffedFolderType = "Generic" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = ffffffff OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\21\Shell OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\21 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\21\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\NodeSlot = "22" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Applications OpenWith.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1696768468-2170909707-4198977321-1000\{8B60E917-8D80-40E1-A710-BF2AB70D5970} msedge.exe Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\NodeSlot = "21" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\21\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Applications\7z.exe\shell\open OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\ComDlg OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Applications\7z.exe OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202020202020202020202 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202020202020202020202020202 OpenWith.exe -
NTFS ADS 16 IoCs
Processes:
msedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 511769.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\DesktopBoom.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Melting.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 833379.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 411313.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\ProSwapper-0.9.9.zip:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\ProSwapper-0.9.8.tar.gz:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 325979.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\xoro-service-fns.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 476261.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 965993.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\ChilledWindows.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Saturn.zip:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 240087.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\CookieClickerHack.exe:Zone.Identifier msedge.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exexoro-service-fns.exepowershell.exepowershell.exepowershell.exepowershell.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedge.exemsedge.exemsedge.exepid process 4248 msedge.exe 4248 msedge.exe 4864 msedge.exe 4864 msedge.exe 4740 msedge.exe 4740 msedge.exe 4660 identity_helper.exe 4660 identity_helper.exe 2820 msedge.exe 2820 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 5476 msedge.exe 5476 msedge.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 5220 xoro-service-fns.exe 548 powershell.exe 548 powershell.exe 5732 powershell.exe 5732 powershell.exe 5800 powershell.exe 5800 powershell.exe 4232 powershell.exe 4232 powershell.exe 5556 msedge.exe 5556 msedge.exe 5752 msedge.exe 5752 msedge.exe 4844 identity_helper.exe 4844 identity_helper.exe 2952 msedge.exe 2952 msedge.exe 5432 msedge.exe 5432 msedge.exe 4860 msedge.exe 4860 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 724 msedge.exe 4976 msedgewebview2.exe 4976 msedgewebview2.exe 3048 msedgewebview2.exe 3048 msedgewebview2.exe 1576 msedgewebview2.exe 1576 msedgewebview2.exe 6976 msedge.exe 6976 msedge.exe 5372 msedge.exe 5372 msedge.exe 5908 msedge.exe 5908 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
OpenWith.exeDesktopBoom.exepid process 4716 OpenWith.exe 6964 DesktopBoom.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs
Processes:
msedge.exemsedge.exepid process 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
xoro-service-fns.exeWMIC.exepowershell.exepowershell.exepowershell.exepowershell.exeSaturn.exeSaturn.exe7z.exe7z.exeChilledWindows.exeAUDIODG.EXEvssvc.exedescription pid process Token: SeDebugPrivilege 5220 xoro-service-fns.exe Token: SeIncreaseQuotaPrivilege 948 WMIC.exe Token: SeSecurityPrivilege 948 WMIC.exe Token: SeTakeOwnershipPrivilege 948 WMIC.exe Token: SeLoadDriverPrivilege 948 WMIC.exe Token: SeSystemProfilePrivilege 948 WMIC.exe Token: SeSystemtimePrivilege 948 WMIC.exe Token: SeProfSingleProcessPrivilege 948 WMIC.exe Token: SeIncBasePriorityPrivilege 948 WMIC.exe Token: SeCreatePagefilePrivilege 948 WMIC.exe Token: SeBackupPrivilege 948 WMIC.exe Token: SeRestorePrivilege 948 WMIC.exe Token: SeShutdownPrivilege 948 WMIC.exe Token: SeDebugPrivilege 948 WMIC.exe Token: SeSystemEnvironmentPrivilege 948 WMIC.exe Token: SeRemoteShutdownPrivilege 948 WMIC.exe Token: SeUndockPrivilege 948 WMIC.exe Token: SeManageVolumePrivilege 948 WMIC.exe Token: 33 948 WMIC.exe Token: 34 948 WMIC.exe Token: 35 948 WMIC.exe Token: 36 948 WMIC.exe Token: SeIncreaseQuotaPrivilege 948 WMIC.exe Token: SeSecurityPrivilege 948 WMIC.exe Token: SeTakeOwnershipPrivilege 948 WMIC.exe Token: SeLoadDriverPrivilege 948 WMIC.exe Token: SeSystemProfilePrivilege 948 WMIC.exe Token: SeSystemtimePrivilege 948 WMIC.exe Token: SeProfSingleProcessPrivilege 948 WMIC.exe Token: SeIncBasePriorityPrivilege 948 WMIC.exe Token: SeCreatePagefilePrivilege 948 WMIC.exe Token: SeBackupPrivilege 948 WMIC.exe Token: SeRestorePrivilege 948 WMIC.exe Token: SeShutdownPrivilege 948 WMIC.exe Token: SeDebugPrivilege 948 WMIC.exe Token: SeSystemEnvironmentPrivilege 948 WMIC.exe Token: SeRemoteShutdownPrivilege 948 WMIC.exe Token: SeUndockPrivilege 948 WMIC.exe Token: SeManageVolumePrivilege 948 WMIC.exe Token: 33 948 WMIC.exe Token: 34 948 WMIC.exe Token: 35 948 WMIC.exe Token: 36 948 WMIC.exe Token: SeDebugPrivilege 548 powershell.exe Token: SeDebugPrivilege 5732 powershell.exe Token: SeDebugPrivilege 5800 powershell.exe Token: SeDebugPrivilege 4232 powershell.exe Token: SeDebugPrivilege 7348 Saturn.exe Token: SeDebugPrivilege 5292 Saturn.exe Token: SeRestorePrivilege 6620 7z.exe Token: 35 6620 7z.exe Token: SeRestorePrivilege 4320 7z.exe Token: 35 4320 7z.exe Token: SeShutdownPrivilege 6936 ChilledWindows.exe Token: SeCreatePagefilePrivilege 6936 ChilledWindows.exe Token: 33 5464 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 5464 AUDIODG.EXE Token: SeShutdownPrivilege 6936 ChilledWindows.exe Token: SeCreatePagefilePrivilege 6936 ChilledWindows.exe Token: SeShutdownPrivilege 6936 ChilledWindows.exe Token: SeCreatePagefilePrivilege 6936 ChilledWindows.exe Token: SeBackupPrivilege 33832 vssvc.exe Token: SeRestorePrivilege 33832 vssvc.exe Token: SeAuditPrivilege 33832 vssvc.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exemsedge.exepid process 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe -
Suspicious use of SendNotifyMessage 48 IoCs
Processes:
msedge.exemsedge.exepid process 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 4864 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe 5556 msedge.exe -
Suspicious use of SetWindowsHookEx 58 IoCs
Processes:
MiniSearchHost.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exepid process 3508 MiniSearchHost.exe 6372 OpenWith.exe 6372 OpenWith.exe 6372 OpenWith.exe 6372 OpenWith.exe 6372 OpenWith.exe 6372 OpenWith.exe 6372 OpenWith.exe 6372 OpenWith.exe 6372 OpenWith.exe 6372 OpenWith.exe 6372 OpenWith.exe 5676 OpenWith.exe 2352 OpenWith.exe 3112 OpenWith.exe 4784 OpenWith.exe 4716 OpenWith.exe 4716 OpenWith.exe 4716 OpenWith.exe 4716 OpenWith.exe 4716 OpenWith.exe 4716 OpenWith.exe 4716 OpenWith.exe 4716 OpenWith.exe 4716 OpenWith.exe 4716 OpenWith.exe 4716 OpenWith.exe 4716 OpenWith.exe 4716 OpenWith.exe 4716 OpenWith.exe 4716 OpenWith.exe 4716 OpenWith.exe 4716 OpenWith.exe 4716 OpenWith.exe 4716 OpenWith.exe 4716 OpenWith.exe 4716 OpenWith.exe 4716 OpenWith.exe 4716 OpenWith.exe 4716 OpenWith.exe 4716 OpenWith.exe 4716 OpenWith.exe 4716 OpenWith.exe 4716 OpenWith.exe 4716 OpenWith.exe 4716 OpenWith.exe 4716 OpenWith.exe 4716 OpenWith.exe 4716 OpenWith.exe 4716 OpenWith.exe 5068 OpenWith.exe 5924 OpenWith.exe 5924 OpenWith.exe 5924 OpenWith.exe 5924 OpenWith.exe 5924 OpenWith.exe 5924 OpenWith.exe 5924 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 4864 wrote to memory of 1072 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 1072 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4300 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4300 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4300 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4300 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4300 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4300 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4300 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4300 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4300 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4300 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4300 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4300 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4300 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4300 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4300 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4300 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4300 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4300 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4300 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4300 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4300 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4300 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4300 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4300 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4300 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4300 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4300 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4300 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4300 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4300 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4300 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4300 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4300 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4300 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4300 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4300 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4300 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4300 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4300 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4300 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4248 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4248 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4208 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4208 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4208 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4208 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4208 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4208 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4208 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4208 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4208 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4208 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4208 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4208 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4208 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4208 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4208 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4208 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4208 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4208 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4208 4864 msedge.exe msedge.exe PID 4864 wrote to memory of 4208 4864 msedge.exe msedge.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\.html1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff587f3cb8,0x7fff587f3cc8,0x7fff587f3cd82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,5500546451365467710,13427342699229894645,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1952 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1940,5500546451365467710,13427342699229894645,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2488 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1940,5500546451365467710,13427342699229894645,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,5500546451365467710,13427342699229894645,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,5500546451365467710,13427342699229894645,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,5500546451365467710,13427342699229894645,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1940,5500546451365467710,13427342699229894645,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3172 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,5500546451365467710,13427342699229894645,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,5500546451365467710,13427342699229894645,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,5500546451365467710,13427342699229894645,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,5500546451365467710,13427342699229894645,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,5500546451365467710,13427342699229894645,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1940,5500546451365467710,13427342699229894645,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5876 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,5500546451365467710,13427342699229894645,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,5500546451365467710,13427342699229894645,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1940,5500546451365467710,13427342699229894645,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3188 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1940,5500546451365467710,13427342699229894645,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3280 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,5500546451365467710,13427342699229894645,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,5500546451365467710,13427342699229894645,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,5500546451365467710,13427342699229894645,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,5500546451365467710,13427342699229894645,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6620 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,5500546451365467710,13427342699229894645,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6748 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,5500546451365467710,13427342699229894645,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6760 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,5500546451365467710,13427342699229894645,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,5500546451365467710,13427342699229894645,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,5500546451365467710,13427342699229894645,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6628 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,5500546451365467710,13427342699229894645,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6836 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,5500546451365467710,13427342699229894645,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6980 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,5500546451365467710,13427342699229894645,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6772 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,5500546451365467710,13427342699229894645,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,5500546451365467710,13427342699229894645,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,5500546451365467710,13427342699229894645,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1940,5500546451365467710,13427342699229894645,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7536 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1940,5500546451365467710,13427342699229894645,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4072 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,5500546451365467710,13427342699229894645,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7420 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\xoro-service-fns.exe"C:\Users\Admin\Downloads\xoro-service-fns.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\xoro-service-fns.exe"C:\Users\Admin\Downloads\xoro-service-fns.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"4⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profiles"4⤵
-
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /F "C:\Users\Admin\Downloads\xoro-service-fns.exe""4⤵
-
C:\Windows\system32\PING.EXEping localhost -n 35⤵
- Runs ping.exe
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff46953cb8,0x7fff46953cc8,0x7fff46953cd82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4368 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3348 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2480 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5540 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5764 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6788 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7016 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7144 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7364 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7556 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7652 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7840 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8032 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8212 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8236 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8496 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8500 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8784 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9268 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9064 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8120 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9904 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10024 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10076 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6984 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10916 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9708 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10548 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7504 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7500 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11228 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7052 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11232 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6908 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10524 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10036 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10664 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9752 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9004 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10796 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11116 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11108 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7680 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9036 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9452 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11864 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12048 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8808 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12264 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11412 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11312 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6936 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8044 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11284 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6684 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=10396 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11648 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9404 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7688 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6792 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6684 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10292 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9568 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=82 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9316 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7860 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=84 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10180 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=85 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11852 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=86 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8044 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=87 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=88 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9864 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=89 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8804 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=90 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10376 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=91 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12084 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=92 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7812 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=93 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8256 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=94 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12284 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=95 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12084 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=96 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11852 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=98 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11112 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=11420 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=100 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=101 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10312 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7540 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=104 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12032 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=105 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=106 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8968 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=108 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7544 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=107 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8512 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=109 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8936 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=110 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8204 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=111 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11148 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=112 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7336 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=113 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11344 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=114 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8556 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=115 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8492 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=116 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10920 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=117 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10944 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=118 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6916 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=119 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6644 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=120 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8200 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=121 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7064 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=122 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11376 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=123 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10584 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=124 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10440 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=125 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10544 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=126 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7384 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=127 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9336 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=128 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10320 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=129 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11324 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=130 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12504 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=132 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10120 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6424 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=13208 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=137 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8884 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7640 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9156 /prefetch:82⤵
- NTFS ADS
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=141 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11660 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=12692 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:82⤵
- NTFS ADS
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=145 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12464 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=13036 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=13156 /prefetch:82⤵
- NTFS ADS
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=149 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12496 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=12760 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=151 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1928,3056509812480946144,4944479889169812566,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2616 /prefetch:82⤵
- NTFS ADS
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\Downloads\Saturn\Saturn.exe"C:\Users\Admin\Downloads\Saturn\Saturn.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=Saturn.exe --webview-exe-version=1.0.0+2e775afb09fa93f99111ff902a1f2d2736bfd1ad --user-data-dir="C:\Users\Admin\Downloads\Saturn\Saturn.exe.WebView2\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --mojo-named-platform-channel-pipe=7348.6392.120613581743091889802⤵
- Enumerates system info in registry
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\Downloads\Saturn\Saturn.exe.WebView2\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\Downloads\Saturn\Saturn.exe.WebView2\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\Downloads\Saturn\Saturn.exe.WebView2\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x134,0x7fff46953cb8,0x7fff46953cc8,0x7fff46953cd83⤵
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1916,2549390575962743583,15597612197150284977,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --noerrdialogs --user-data-dir="C:\Users\Admin\Downloads\Saturn\Saturn.exe.WebView2\EBWebView" --webview-exe-name=Saturn.exe --webview-exe-version=1.0.0+2e775afb09fa93f99111ff902a1f2d2736bfd1ad --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1988 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,2549390575962743583,15597612197150284977,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\Downloads\Saturn\Saturn.exe.WebView2\EBWebView" --webview-exe-name=Saturn.exe --webview-exe-version=1.0.0+2e775afb09fa93f99111ff902a1f2d2736bfd1ad --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2108 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,2549390575962743583,15597612197150284977,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\Downloads\Saturn\Saturn.exe.WebView2\EBWebView" --webview-exe-name=Saturn.exe --webview-exe-version=1.0.0+2e775afb09fa93f99111ff902a1f2d2736bfd1ad --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2748 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1916,2549390575962743583,15597612197150284977,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\Downloads\Saturn\Saturn.exe.WebView2\EBWebView" --webview-exe-name=Saturn.exe --webview-exe-version=1.0.0+2e775afb09fa93f99111ff902a1f2d2736bfd1ad --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2132 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,2549390575962743583,15597612197150284977,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\Downloads\Saturn\Saturn.exe.WebView2\EBWebView" --webview-exe-name=Saturn.exe --webview-exe-version=1.0.0+2e775afb09fa93f99111ff902a1f2d2736bfd1ad --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=4428 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\Saturn\Saturn.exe"C:\Users\Admin\Downloads\Saturn\Saturn.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=Saturn.exe --webview-exe-version=1.0.0+2e775afb09fa93f99111ff902a1f2d2736bfd1ad --user-data-dir="C:\Users\Admin\Downloads\Saturn\Saturn.exe.WebView2\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --mojo-named-platform-channel-pipe=5292.2128.79199152926072470912⤵
- Enumerates system info in registry
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\Downloads\Saturn\Saturn.exe.WebView2\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\Downloads\Saturn\Saturn.exe.WebView2\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\Downloads\Saturn\Saturn.exe.WebView2\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x1b8,0x7fff46953cb8,0x7fff46953cc8,0x7fff46953cd83⤵
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1792,15652898284667043618,4199346502229728475,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --noerrdialogs --user-data-dir="C:\Users\Admin\Downloads\Saturn\Saturn.exe.WebView2\EBWebView" --webview-exe-name=Saturn.exe --webview-exe-version=1.0.0+2e775afb09fa93f99111ff902a1f2d2736bfd1ad --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1824 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1792,15652898284667043618,4199346502229728475,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\Downloads\Saturn\Saturn.exe.WebView2\EBWebView" --webview-exe-name=Saturn.exe --webview-exe-version=1.0.0+2e775afb09fa93f99111ff902a1f2d2736bfd1ad --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2248 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1792,15652898284667043618,4199346502229728475,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\Downloads\Saturn\Saturn.exe.WebView2\EBWebView" --webview-exe-name=Saturn.exe --webview-exe-version=1.0.0+2e775afb09fa93f99111ff902a1f2d2736bfd1ad --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2540 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1792,15652898284667043618,4199346502229728475,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\Downloads\Saturn\Saturn.exe.WebView2\EBWebView" --webview-exe-name=Saturn.exe --webview-exe-version=1.0.0+2e775afb09fa93f99111ff902a1f2d2736bfd1ad --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:13⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004EC 0x00000000000004C81⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\7-Zip\7z.exe"C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\Downloads\ProSwapper-0.9.8.tar.gz"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\7-Zip\7z.exe"C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\Downloads\ProSwapper-0.9.8.tar.gz"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\DesktopBoom.exe"C:\Users\Admin\Desktop\DesktopBoom.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\Desktop\CookieClickerHack.exe"C:\Users\Admin\Desktop\CookieClickerHack.exe"1⤵
-
C:\Users\Admin\Desktop\CoronaVirus.exe"C:\Users\Admin\Desktop\CoronaVirus.exe"1⤵
- Deletes itself
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
-
C:\Users\Admin\Desktop\Melting.exe"C:\Users\Admin\Desktop\Melting.exe"1⤵
-
C:\Users\Admin\Desktop\ChilledWindows.exe"C:\Users\Admin\Desktop\ChilledWindows.exe"1⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Windows Management Instrumentation
1Command and Scripting Interpreter
1PowerShell
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id-3CBD6726.[[email protected]].ncovFilesize
3.2MB
MD535428efbf00ae4bf130e8a887774670a
SHA151c24394c8ac6e30b5e9a1558f55eaa026474af8
SHA25686f6441a3368f67be4f9e6e474247d56b047ae1f2424f2bc4e71aec848c7091e
SHA5129257ba5b5e33fc1cc2df69f68674160b9bee3e1e5e9392a82eff8484710fa4839596c5583954095ef87947c536e081aa31b2a5eaa218c7ebedf85b3445f1adc7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD51e4ed4a50489e7fc6c3ce17686a7cd94
SHA1eac4e98e46efc880605a23a632e68e2c778613e7
SHA256fc9e8224722cb738d8b32420c05006de87161e1d28bc729b451759096f436c1a
SHA5125c4e637ac4da37ba133cb1fba8fa2ff3e24fc4ca15433a94868f2b6e0259705634072e5563da5f7cf1fd783fa8fa0c584c00f319f486565315e87cdea8ed1c28
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD508c3327cea7adf41b6b41c32cd571021
SHA16887513d97d68e723e5ca8ca0414d7d7509ba4ba
SHA2561b62b20b73a0d83c4c52baa8054ad0b31378afef8d59a8b8db236776372716b3
SHA512e22a858f374a09e6f6eee5c6328f1ae07544667fd7de47b3e1fc5619566b338ef97c71d5ca260feb32f608967acb2281afbe5425558b0980607f4241813a083e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD59dffff4415e0e6d065175d43273b5e4c
SHA13406056431b7eeeba36efd50e992d65aaaa4ce62
SHA2561091af2d3491d72a915ef08cd1eea42ddcdc0e19d3129d1770aceda896bb13a6
SHA5124ae7494e90ce1bdb62ab40955e8ab8ea5475516e8970c3868a2dc8114f0b36dfa4d0c18c41813951d12e3c8f56c9df47687285b4a01a58a3ed74111215a49d96
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD58ff8bdd04a2da5ef5d4b6a687da23156
SHA1247873c114f3cc780c3adb0f844fc0bb2b440b6d
SHA25609b7b20bfec9608a6d737ef3fa03f95dcbeaca0f25953503a321acac82a5e5ae
SHA5125633ad84b5a003cd151c4c24b67c1e5de965fdb206b433ca759d9c62a4785383507cbd5aca92089f6e0a50a518c6014bf09a0972b4311464aa6a26f76648345e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005Filesize
69KB
MD5aac57f6f587f163486628b8860aa3637
SHA1b1b51e14672caae2361f0e2c54b72d1107cfce54
SHA2560cda72f2d9b6f196897f58d5de1fe1b43424ce55701eac625e591a0fd4ce7486
SHA5120622796aab85764434e30cbe78b4e80e129443744dd13bc376f7a124ed04863c86bb1dcd5222bb1814f6599accbd45c9ee2b983da6c461b68670ae59141a6c1a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006Filesize
37KB
MD5e04acc0cbe67d37a8413fda23b96ad71
SHA1173f206abbfde0e02dd59ae341fd6cd5334bdfc8
SHA256ba343cea66b8daa6c0abbe13a3b752c1e5a4d61a340dadf10d4fd9696860b011
SHA512a9a3ba711d5c7656ec97a8df39958b00c5227bc67e8d5dcf873b5490dcb987112fc3592fb635664a4febcccac3d76295dc991ea0799b58c6a2aa962c0127d6f8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007Filesize
64KB
MD5d6b36c7d4b06f140f860ddc91a4c659c
SHA1ccf16571637b8d3e4c9423688c5bd06167bfb9e9
SHA25634013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92
SHA5122a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008Filesize
19KB
MD52e86a72f4e82614cd4842950d2e0a716
SHA1d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA5127a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009Filesize
65KB
MD556d57bc655526551f217536f19195495
SHA128b430886d1220855a805d78dc5d6414aeee6995
SHA256f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4
SHA5127814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000aFilesize
84KB
MD574e33b4b54f4d1f3da06ab47c5936a13
SHA16e5976d593b6ee3dca3c4dbbb90071b76e1cd85c
SHA256535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287
SHA51279218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000bFilesize
1.1MB
MD5bc31b3e68f12ca2e104f1cfb6b99d0fe
SHA1a263b2502fc1e3984a8ea96f5a76cdfb0afd1739
SHA25607e16629a1b1ad0a44035cee2279590d0a6eb71355489af75a287e808a3f9e87
SHA512d8bd6d2b8a4789aa88e8c032933d4d2f48465fe17d7889a259b9f1759a6f693c2953595425684dc0a0bda2292c37b6d78644ab7269b436dc3e78dd2518286f4a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000448Filesize
74KB
MD587fbdfd72e9f62936c6af9c1e3b206b0
SHA1c8414febc249d7cb2760664d435d894eccedd016
SHA256656c377d8540da3ad4787a93a7ab808e0cde206e6859726ca22dc622dce617ae
SHA512244b092f75cfb9901cae98a894ef1c23f54712ac15b8c626a72f9270cadb31e2e5ba437d4cc0c76bc89035c5a52ec0cd68820bda7e7723444628475a876e121b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00044aFilesize
28KB
MD58a66762327be96e4aface1b01d26818b
SHA1a73ffca3cc99f451492f103b2359ccc9441f7e1b
SHA2566e0ffdaa118efd5c84121e20e6ea421d6d6173387939eef8372f6a854bcb0e24
SHA512c2cb9d1b0e0df93bcd427d621b186b0369bdc1d2b0c6f0439fd6143b96fad2453570489c00e31b8be2f54d6095c281cfe3c1ff92434cd0ba07f88a230b3baa96
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00044cFilesize
23KB
MD5fef36ef29cb549010407c011a0655c7f
SHA149608c90217bc8436e4d5078c38d0ee2719c96ba
SHA256565e2b258c31385c590bd4fbc8df9a63b7bc75b9c44a550adc8fd2cd3d315292
SHA5127d0080b617906e2a707eef48ddce3b94bea77d1e8e5cb33464b6ff13bd6adbb598889cf9b2965445946efa263fea28d88c4cef21ce83b33906bea822d5278c52
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00044dFilesize
29KB
MD51f34e1cae44d348d88a6236d3ee403fc
SHA107709a6a79719c8dc0d62f572cede6c651935326
SHA256774c66d43d5d52e07dde2dd904e40ebeed09db606312d57f1499b38dc0c81f52
SHA5126889979756bc1b86fb775f1b515cf6a3d8aea3c89d3093239b4b0cba328721bf8faf9f3eda93835d490abd1af5393091424ad76f76e2f05faad8cc7220672420
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00044eFilesize
36KB
MD528427e78a0e63c94ea336aaae07d70e8
SHA109c5086b102c1fea39b95a6358d4b15931345a86
SHA2561f13b5f64d47be2d88ea6173b52a76f5718582ca4260093774476a1566455eae
SHA5127e69e33b8fcd91a2ee849bb7504e562d22e8860e3f16ab4e44787f26e438376022d3373db764c67129b4eeec440ee181ff5afd23b274470a4f046270cb052dd7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000450Filesize
96KB
MD52c498d9bc400111f311f10173a37de8d
SHA1a6d7124966e06061e85c068db707c8ad76d16daf
SHA256cca28503fb231cb1734601602a3ac4d5fc1468ff04e4cd200eca0bc235798ee1
SHA512c7253283e2a999825280b11523c78da502f8bb53d2db5ffb4f58ee5009f0841f529415606561e1fee16ee196684920af81e81d397222b9ff9d6c60d74cecfaa9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000451Filesize
85KB
MD50c9936f3a6a198facf25e6d58b95cb86
SHA16cf8d4163e2d4a1ee328a6bef718c8c54ee39a30
SHA2567a0330bdc1f86c8a00710cce0dba541643729ed4eb0bbd11823ddfcefdc7a45d
SHA51209731de2931c4e5529b3534e65c1d3e911a3a8c2a15cbba90e174b56e714fc85a9b0ffe19c27f57ae99c9fb51c52c7fbb318ae385bc0a9b408d1f569d1d74911
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000452Filesize
20KB
MD587e8230a9ca3f0c5ccfa56f70276e2f2
SHA1eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7
SHA256e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9
SHA51237690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000453Filesize
140KB
MD529511afae3d5ae8efa7d5b658d11f0a1
SHA181b5b33e02b3e52ff43549c52188762b53a61531
SHA256aa847037795ac6956578a8af7c03e804ab7245b0fe56198ea18b12ac47374848
SHA5123725aacd3ff3a1258df81c5f0f0c4ac99fedb11e0b85f7e56f6dc51862ae07459619ef27cfd397906def474be695848f669d8fbe5a79d4c57d742c5458a436e2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000456Filesize
63KB
MD5faca30f3346b7bdd09f32fff365feb86
SHA14c3905d1d331c9187899c8c7b819e8a8f148ff6b
SHA256a3f261abe8de9def641a4115e6cfe8bd57d55312e15df7d5863a6a86e55646d9
SHA5121ee53cd2f3f90d5d3079c33e68e5fc36b04dc317577eb5943db85555bde7ef2617f82b57965da9b915b99a630edc694ebaa78310eb1f191a3b798f2aabe6660d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000459Filesize
128KB
MD5610bad6f1d7b600651fa1eda661eb03e
SHA1b5c76cbe2e912f1df02fda2ad02ce2cef23a17eb
SHA2567fdf718245b4a1da75596a3e61519b34ee6912e8104c2643e5ed6e855a375b14
SHA5125977954b2e28e754528361cc791a9c4211fb20789d58ee36cc04a7d9404c7e03034a2fa860da8dd50e8e0d48866bf6a61b743353e2a9fd046695098e7f6019c1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00045aFilesize
42KB
MD57235481bb01195f5df37955f03dca404
SHA1a1b4fd6d9f9032d478cfaeb4bc18a8cf6d40e5e3
SHA256cba1b7c8426e0dc383ba82e4216d6aa1ad1df45256caa6c409eeba3c75a4713e
SHA51245264fb8f53711d1198e61cbb5b2d98b4eaa15eb56ea988a47fc72fc59967869d0cd2dff926fd852a9bef33e8f7f5e80bdb0ccf0c7269a70d39f5a70e87d5148
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00045bFilesize
56KB
MD5575b9635960fa1d9b7ba4dafe1d2e7f5
SHA185dcbcd21eeab5fc58e2ce83ba921609a706f2bc
SHA256aa8d6f75ef3c086ce9434961b51bac1dfe4a6a9e90e6bb8df07000fa8a5d8907
SHA5127dbbde843322660842e55e73b101ff5450d870f8a374029fcb81cb6e27de36d3d4f4685065bdd9fd93342d71ab10e238ca86e020530a38e6e04ca21339ac9f42
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000468Filesize
244KB
MD505a053ce8b2c0a891cde52ae7f0383fd
SHA19c5f3127b96dd8f30c850f32b064378632ae7fca
SHA2562dfd915be5bf4fe6e6d770d99caccb554f0111c517dc59bcfc36528b933df510
SHA512938bc30233db3f6a6ab1e1b26ab97ee58ddf3b0d2ba6bac7d259e44392c7d302938454a9ebfe0b06a9f9eecc785897999d15d0fe6bee0cd14bdf78ee6cee0d22
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00046aFilesize
29KB
MD5bdcfed56131a72bd10b85bbec015d50d
SHA1f46d407d2494627617ebdb03ba5c1eaae17c1417
SHA25692c701712d4fba194b11340cc9595021b31475d4e19bae5c97d2b551ab07afea
SHA51255aa3591986b38a8f32b04660acd1b3245bfe45044dfdc980817258d8d417d37dbce13f98c1e1faf27fb27c5e7b4de26d2396bea161e06cf66a76c1b8cdb7332
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00046fFilesize
16KB
MD59c6b5ce6b3452e98573e6409c34dd73c
SHA1de607fadef62e36945a409a838eb8fc36d819b42
SHA256cd729039a1b314b25ea94b5c45c8d575d3387f7df83f98c233614bf09484a1fc
SHA5124cfd6cc6e7af1e1c300a363a9be2c973d1797d2cd9b9009d9e1389b418dde76f5f976a6b4c2bf7ad075d784b5459f46420677370d72a0aaacd0bd477b251b8d7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000470Filesize
62KB
MD5e8c0d56a14c900bd28d936c6eafbbb35
SHA1014da87fac24abf750405bff3c4442ead6403d29
SHA256619f8a7e8f30c5566c5d1bc600f06a14dcb33cecb26dc3d8b734323ab29b436f
SHA51219577e8d77e27a2c8f50a0cbd62b68b80f343fe827279e5ecbb7f2a9ff66957a3e3b98c37d42d58f0d6dc472f9c656a886430f2c0b566e75d6787f09c06c4085
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000471Filesize
31KB
MD523e27b25649876f27c181efdeadfc8d6
SHA19863dad332964fb57e21f951be539fcfeafe7250
SHA2567b1e20c89858082755a93ed4511747464aff17b722a0a4d533e89784ab7b70fc
SHA512683f3235691e33cbdee39172b211fa103361ec3c41a9b554834d41ad5ab079993b39bad9c5a5a743652bcea618ff3356c5287dc95817ce2a9d167c8e2a6ada75
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000475Filesize
19KB
MD5ba1bc252528a94df68abc4158c30a342
SHA1fdafa2adda170ab9a2473aa741f5ed31a6f256f8
SHA256fd8f7fd869509c751b5e841163cd4ff6dcd42d3fc5d884731f33d30ac647a1e4
SHA5129c0c9b8322343f22f21a42426713c6a8f9a3f63f9bd9362eeca1d30fc4a4d911f828c480ab9b08f45d3c72565209356b1d916c2d8ca9ba6784651b37ccd32583
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000479Filesize
18KB
MD5fe25151fad2965222d7894dfede59e7a
SHA15bbba86e9fe710d80c150e05d780d4bc4b88d1e6
SHA256ff0a4097bc0c1f877a59efb3d6be2a4df8895a8227f48022a70d60e33b7b81f2
SHA512895402dae22248c884a0eb553298405190d3dee1a7efe997631c194720f8c76bf7a16f8c0503bf0b43377a582b05c05fa15deb1a84f600b8d2fd72cb860cec50
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00086bFilesize
68KB
MD5f4fedf0ccf1d5fa3a40a60b0ced8812a
SHA1d2f9e4fd7a7b71c7bfec2d5df6af2b1faeab2864
SHA256b907b045c8458d9198531a6d088952590046b424790582346b7219e4fe90f4b3
SHA512be745bdad9c3062943ef47b7df45ebd05cd022e4c803f99b3b2a3444022d23bdd34c2d57cba5e7e9079fa1faadd2c666682f4875c1f15d5147d5fc6096ad04b8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0008b9Filesize
42KB
MD510efb91369daa4c04cf6fd78580d3d15
SHA1dc3214cb574ccb55aa01bc154e998662a760d93d
SHA256ef6b412bb64be39a05223be9622f34947b0bbb9709f4a59c91f60208b2c20195
SHA512d26a9a063e3e01453739175e103da8118d1ce58e129d9c5cb24964ab5963cc132580a2dbfc7366f7277c41c736a3a4386b19d51075a157bc561cdeb37d4644b2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
7KB
MD5660138a3090a00e65f79b6a31da2f369
SHA111f1914afcd21b29dc17e219f47e8e62a28c6e5c
SHA256635bde59dabb50ce510adb85b56d26c4fcdb902fc440ce8d44243d3a4d06c0ac
SHA512b2e71e364c6efdd50ccbeaa95ea4f4776c8dc6144bea9ac142ff2cdcea9fb711b889d543893eba283adbc34fa5a6786bc8fb8a97e05c4f8e87c2928e680384cd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
8KB
MD58c5afa6efc4bf453006ae40ae58fc5b9
SHA1d0b8c366cc1f0cdbf52001d2adcc061907326998
SHA256ee56e8a5663e5f4388cb0665dc49a27b9212bf2dc0f819309dfb3f616a5cefac
SHA5125ddf2f7ccde9835f4254458eaa33f937cd3761421bf3154c76bf3ecf7f48529460a2aea4f67c143905add410e9ebe6bcf4f35d28dce6d21f40d7cbbdc6ff67e3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
9KB
MD506258ac76fb11cc5dd4e7d0ecd86a0e5
SHA1d98a0fead6eb8eb70be50a1b009ceb5b511227e2
SHA256e77b991e2df378d80c517ddfb1f5765e1fbe9505a69f64d65c552ceccfd096a5
SHA5128f2bb148e37d88df634a933c6a7f4de31847d65652e65fdbf574ddba43262e217692c2e44652d7cba90b2ab56e7b6c5617d574f3e6688df93d5dfb3d9580b6d1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
3KB
MD5dc6045f5214e9b32b8fe5dd4fe867c69
SHA1c61b38acf82eb8ffc7a6217358c96bd16bb82355
SHA2560f48a6ba03071c66af4f7edaa2b88553d22614629cd36236618d99762d4ab454
SHA5122025777679b1cddab5585b0695d737137f3b9074a911a1af50e5d4683016399fae16b519303d733b1c3a26daef84b9a53ffc81b4739b5434389831be31aee8de
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
4KB
MD5df88d9b2786ff3492bcc135d2be75734
SHA15389cc998b305f0f183dc65d2a215d000894357e
SHA2569ad2480700d2bd46846b1f8a6be4ad14332827056738dc17cd0f1ef95d668709
SHA5123ace7b2962dcdd7e3439859170344cb1ee931ee8960d7a30663a4604919799203ed5dfda4dfacbbfe90dff9b79efd94dce6bbad725bbb3dab33c7db43c7169bc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
7KB
MD518b87d80457365776ec50502966ba2f2
SHA1a830708a62aa60bf30515624e86f5cc0fa229148
SHA256f9655a372a50aafca4354471d7f75a9aa9fa9541b63cc820d760b69371947581
SHA512296bc59a7e223b53fbde5ff82d68786c575f1f03c8538dc7a989e5f30b2cc756de123a2afd12583dbbab0fce03faab6cec108339977f988bc345416af92c794d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
9KB
MD5db427e7cdef33f5b8a7cc3e9625a227e
SHA1b478bd1bd19ecbe00b21258a7fd16b65fb7c918a
SHA256d49326e5ff9503354f628664e9a9d98220d7f3968ebeff2295638cd124ca741f
SHA512fc7855bb58d30c11929c3a7090f14f8ac209e5290cf104667e801dbcc5bf0b298900d58f38041a64b4b8084f7a96def1c1e215445465a06d03e397d19d1c6d6e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
13KB
MD5dd7aafa42e944eebcaffa49841136432
SHA1d55dc042772081d4bd5edfb15395a5ffd641f53a
SHA2567b4c7b1adc19b7dac02a1ee8394ab0f43f862fc49d842d11d57783c4a55edc99
SHA5124f53f2772410d0756e108efd889ef4555eba4634478f7cf2e48814c317b179e46cd78cab175aaf4806d9001020163c1f0d24ff3207ab87f4578d6f1f188a389b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
17KB
MD5de53b866820c27280e4828144445fd12
SHA19eb239d0f6baaf10fa72180dcd1245ad3b90ba93
SHA25603b9a4acb0d61dd2bcaf929a1e98cd20b912683b4578ec29e88265deddb4daa5
SHA5125b11598bca2a5b2aaaef4940eca7be5971ded4aac0863215edd43a7a79fb60fc1cd9bba172aa2a3da25e3a2768c786a360a811d4cab682c670553bae870a70a7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD5f8b16b2a18d2578124a1742aefa79ea2
SHA1397152890f68fb24b5961a79e9d680a09a1d6e27
SHA256f20e9ad3a0e7e88563bbdf4cdbd462823f1fef86534e663510231638b269c12b
SHA512e954e81bf81cf7692ccac599c6845f28747967eb6613b29307afc08eb5fd4488c964fded5982804a48a26b32c8b3d665e8f50d0be65d4fa5d40f4f5cff5c2d83
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
16KB
MD573990b46a8d7c4204e043486b08abf0f
SHA17f24558ed5d300a58f7c484a58890f9399c4f6ec
SHA256a0255de109603c7bd1efbc83cca32e3fb935aee88a9c0c8696ce4a52b1456938
SHA51296194dcc0f90c3f757e73b28f47ff676ca2730c1f96683447ff861c468af89693f64c4c923c81254633a741d148998ac374c765a02888d7631dd367ef799fe83
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
17KB
MD5c628504574add3baa314ecdf27c25d47
SHA112895ecea93c61c51e285f00722d809d5bc284d9
SHA2566a0c5ab51248061023b4d6c3f43286deb7be0ecaa44f191690377f163f885be3
SHA51274c0500b59b67ee307a8ca5cc807bfe38f83cd474321ed58beabf87cd63c28cb422e17105381dca7a4105a09e4593f54ac4009d3994008285c5232ea5ed63898
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD57bc6a31f705ff3d10bb649b04bd30586
SHA12f236984be0956c3731432bb962663a2e792d26a
SHA25666d987a21505d3e4ccdc7060aaca904f84a86b2cf832baae8a85fef25437cd02
SHA51249b8931fddbe6d535a85f34e82614e61769b3c301f2c32f00da136457e6c04ed48955cb6833ef715f8917b0073ae599218d8e87b142ece8ecffcf97913078e12
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5e12656991fe2a60b70523232a8ce73bd
SHA127fe834840f57f44eaab63f01a739c1ee9cb2546
SHA256132042cd1be96e7b3acd26d735cd26ce515f9f4ad7554b110c0a2be9c1eba20c
SHA5126d56bee01eb29f06fa85c54445fe4a02fc01572748939ac4e8f3bf5b63a64f51b8d877a7564dc90a49846dbe74173a3539a0e04e6fef7db2ff6692e9dc53c2e0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5e20b29e1a395bde1ae12d3534e4b09dc
SHA10c879c3067eabbd160f1c784125dcb5769d0d6dc
SHA2568c667487cb2fc5ef0b01ea4450f6600d8f8aa2ba9e74ef9d2d960d0a474d0a45
SHA5121d481b77c5d70930db2da6fff33032cb0dda6480b41db160deab8d1b66254ca1db970c21931eec171b0d5ebd5aa537b47dacb7d7fb2ea6b05ca84c9873eba172
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD55bc8d1891a34daea07b8d4a9974ced40
SHA1a940e88e1c8be6a8c4e591cafbee7ee001237387
SHA2564cff7d235829d7c82527e6bc61a108db3c0b4e9b48b5f042286fb515a4c2ee34
SHA5129e2f459494488149b03396ee84005c765002c3641dbfa50339c7276ca97ce75f151d5408ce0dce68cc5c6e99c1ba614ca3c5059db5e29cb1b3978bae88995dde
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
16KB
MD5592e6e35e9aa75ad7d99bd35a3240d11
SHA1034c586818d8b0d62eba591e310af30644b53ec6
SHA2560e4a8d4c0518329e9c85d0cc2370b6930891edb77b9643f5dda8ad9d2ab82e89
SHA512823fd4655e801a51e95254bdcaa510c66b6380efc1f7ed45111735a3b26414cae813c6eac29a310f98cb295562f715f0bf3ea523aee63288e425a305aff76c9a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
18KB
MD5c3f641d6ab71633f023b90a28c79517b
SHA120ab29df138dc22ecfa4ff3ca5b9b4462249d9d4
SHA2561312e37a5f75ecd32bb63c3d109b83d92ae54e1abacf55b69a320b5b56edac2e
SHA51235384c09f6874426defec6a5c96a2fabfcda04826953e61136aba36c1e6d48c5781fa4c52dd88173371dccd2540a3d9a39f908e7efe83b9d30d24382b6f125bf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
18KB
MD5469ed28b4d95a66f71f6a54dbdef95b1
SHA12c70c23b51e40a128bc4ba90897d7c85c81e32b3
SHA256b19ccb90c22cf27ea051fe43dcb402abd58c03e089b5ca9ed506985eeaa49077
SHA512fffb4e7ae36736a29c4542a8430697e040867a706fc590b7445a6bb15894f4a977fc2c6c2c592851d723d013b0f673fed2aa601daed79978971a4991b046353d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
18KB
MD52f125ccb49211bfa124d613f58c6a021
SHA1c507728004d4ade8cd0137cec1a4c6e570b9d46e
SHA2564d7db4310dd163d1fe0e37ad17eeb4aaff86293bfaf9e2abd4c682ea9400f52d
SHA512406a42d4a0f4154cbfca3fe3c6c80627cfc30e4141d369b505a8603a0e43ff2c55691942d0bafa96b5a49ed509903d263959e22765ee6bf796843c0b9de5efe6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
18KB
MD5a5ed24d341bcc6be86cc6d59cd3e9724
SHA19f9d6f528c63907411cf542c78b1b6aa459d5fb2
SHA256aea43698e51f98b768ee6b0c85664838bee57100b6ba5da2db405be0239ba929
SHA512f3c2fd92466930c61d3df210a4a3a474297d5171b58ed9e036519d04a09c20f86884e10b48ea738bb42e19c325adae9233f30b57594eb7a58d0c55665eca7fba
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD56c3557fcca6b7734e3e50494d7bae366
SHA1f40a6d232b5a3846f01951049ce7085f1e8b4c22
SHA2562777328bd539b6c638ed5217426f98ba9b54355ef20112c6f2647ba5eb35f3d4
SHA5124799e7405ac109934a61aa5fe0812468a67676ea017250bf7acf062d73633d1461e2b4a61708cbac38575dedb9755778c1310e364c9f65d88541606862fe043e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
17KB
MD5f606b5eca8be888cdf536056316ec32c
SHA178b9d8cd0e0cde18455ac4a640372177e6430532
SHA256c3824265ef1f8a6a5205da0eafacaf9029cfc09d15451d2c46cb5d6778d39f8e
SHA5122cd1d9aa8355eaf8921b6b2ccac354069c23f7a4cf996b442bd3079897b67394bf0fd0f1bf828563874f10e9fc43f78005b61ae405d954447fd73708b0803a42
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
17KB
MD54f993a7527c10ffa42876eaff4f38cbd
SHA129b1346c68f8c3d3faca3b8b28db1fd03c61f93f
SHA256a917ab74b34e00cb20103dae9359112a6c2041d4c43f44fc1ba832ea18310354
SHA512c0610171c05d9916b2eb015cc17e5ab04e39c1055272110c084b71cf81db79450bd8fe9d3de4e7adccffc6dc7ecb24422168841957696c7e4bb04279a18e0c37
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
18KB
MD5f17cf55b04367968166c54ca7be12121
SHA1a9a5645c6c6f72bf89b4cd02cb6824a74146f94b
SHA256f40d987b050d9806694ecbe136864e2fcb275c79b59b4950bad70a809fe30d22
SHA512d52e81f15782e4af78a1b7cc30ea47823b268122e3ef3f84f50d5f62f76850176c1252bf5566cb952600b1315d678f01f38bfd704b29461318e4d3353039bd29
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
18KB
MD51d2281dbd735c46250d107970b948022
SHA1683f4fe2a078d0a0af2bb123bf58189ed4e3bd63
SHA256f9002622f57ace5cb577a26540f95ea5dfaa6265a1cf712ac17905c0f8196ef2
SHA512ada00ca514160113fd0ae9c0c1c847510149839c737d7d340d1aa911b1ce2563444cd43c137f3cf54e679645eccc8818ad4678cc4fc4aa4b6d41e4577b73bccf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
18KB
MD53b4d973b7b5bbf573b6b4ff3e3231b11
SHA1dda29cb4a8ab338de60c0196ac15e67654e86a0b
SHA256ccb304265141459ee8d23bcd81b30b92cd81b00fb21e1d1223de91a7b2ffef17
SHA512cfb11b299269a14d1445a630439d00c4df5c41e696cf0177f5d56df2eacb931b194e209845343c5473d4c1d6f5a7a56cdc58a2d733c0923f16a3e08c718efc08
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5f4df5fc2d677a1944ddc12cb5fc4c3e7
SHA1d065e29a7dd9a43fda4fc6f8a859acf98cea4b23
SHA2566f765b0e604c6b0158e6f1ec8b1105a635567d05e42b85df054dbf828159b7ab
SHA5124df7f09ebe8588a94b00198196477d682290add2bfbe3bd3e1143fdf8aa3d1277a8baa32e0d832a043c5f8e5bc55a51eac4ab7e7ba1e0dc91826f82f61cc6bcb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5cd90092dfa7c51b4ee6a379544b556ad
SHA1a1ed5e89e2a5c36f06f9880f7103463d08c6b4fa
SHA256cdddc56b8b1cabd19090a76e48254a3a26bc0739b20262da3b248b13760b6d59
SHA51297f31839ff624f83b404a0f3eb7e0f3ed126da27d0253c719e6a1009a9cf47639c6fbae1fc70b24ceca8fec939193245336df6ec0f5463c471a5ad5ccd2ef61b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD535b1989ddcd4abd4a5f29c6c2427b7af
SHA112d2713d87aaf00abb7b6997f884c66fa615080c
SHA25613f3e4604665b4d77ce4f9f5c86a1bf685201ec8447b3d6f352589c3b4b31855
SHA512401b4ced3bd6426a66d950fff16d45769c7a8c7a7fecdcb4afdf7c14b01f855933e151496eb11e59344c07401d70d054fd535003a31e7f24d43282ea15f63a52
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
17KB
MD5924516d754947ebb3a48129db9339b78
SHA1c683e27ba576bd8b927734921181e537db7dcafc
SHA2561de5dcb05c2de2e6524aba11732624e5e87d458b1a205184926bcab94e1c541f
SHA5128dff209dd7c3024e8697fc90ed40635b5de2de4e28d78e93133bf3448cfcefa2a4b5c6b1d31d6fa79290c7f4a2fade0bfa2bf71d9ce28bc5a810ef30fe93e4ae
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
19KB
MD51cdd2334c2f3bd348d054b7691d9f024
SHA17078712dafe4058409a2d2833857820e1d8f9f47
SHA2567187c311b4d6c31e91bbd5edeec01762aea6bb1cb49d4c2b1100ccae74d25742
SHA51227a86a0ac58a8b61f4ec0770dfc8dd943276ece58076c351eb0c7f100aa5a7bb7a5a83597ac92ca771ce8d0dfc6225d75da1760911eb7ad5c7e73a4c5536cd59
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
18KB
MD586f7d285b309e07c1abb2635f1934ca4
SHA17e6c9bc9f6f7c19f4f8ec857b6a54f424dc3f672
SHA2561cd20b523b65b8dd3df1a1e58e996d9307a3bc7c6b68deda00f7ed7db86574c4
SHA512e4f2b949d19b92f1045ec70c3bb4211bcac56272a407c1654061037b7a2b00b1ec1e799631e751c13de6c10ad86fbd7a56f91c221b40fdb5efe740dd9a7470f3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
18KB
MD5c76914a3b4bc147fb9f6cc4f2e4476cf
SHA180f48f018e6ae341ad5d5ab472a4ebaf15286816
SHA2566b4d294855004a3d9ae901295b912eebb1a491c0e27e42075cc19466fc1c9b79
SHA512bc3cd83cab6da8083ad27e0daf82f2fe11db47a8c3c46170a4199afc41418bcadc2dba85e8ab044d18d00b232e43b4eba35c499d3f4ea6a1070e7046d60817ad
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-indexFilesize
240B
MD5f863080021bf34985cd50664af12900c
SHA1727b43b16307e8a8a65f546805c4a9874713a5b0
SHA256ce2379bcdd396b0a5b71ce839eb0df692a5ac8cbf07eba2d92c4c35245068bca
SHA512a965ede6ce399eb26afd835e159fe218377d23a719599fa231da4e956c8b01159c0136bb4bc33289c4b6951d196689a4d3163b0d12b31d18e89d0494ac4c2878
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5f5174.TMPFilesize
48B
MD5a967c9faa5c85e7adb900a9d94beaf4f
SHA126b34b548b7501cb722baee2ca0ad0ebb3608865
SHA2569cc9eae4e4ee20ae5f234b9200957deefd0fa27484ff59c1e59c95a2618ff49b
SHA51222ea217d73441be521e5dd0f5e7d9919d0c7bb894d5cc521b5f263e31459eaad6cc4a09fe5c021569bc9fb93bd66d5feeebe55501a4a116628d1049680a1a513
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD52db62aaca7a9b57c4d988785351df64b
SHA1ba66bba43390589b6071c5b101b1fe41e8d2a45a
SHA2562a0472e2b669a708fe14acec7cd97bc320b74ded2a676092cd53b24d4c47807e
SHA51206782f902872e555132cf676cbee48d0a20c89a9786e70a55260daa179e05be3180fbe38d23c10db66bd893cb6a8e9143dfd86d6385e02c99b71639c38856ce3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD57c9aff136fcc4cc3b1a61bf9677e5524
SHA10078e689dca9488bf49031262348c4ee08718530
SHA2560f89de0df5083c5fa4c7a6050081039c6b8e95a575ce5e37a90bf8a180f0fa5b
SHA5122d6970eee497029a1c99d0831bf32e0d2513e100ee8d7c499d0ac9f680c7c3b8b4a15f82e1e833a0bd9fadf73ec4ad53e73acee53567a361caa2f278e7451787
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD587327e0e22cc7de4fd1234c41681ba0e
SHA1bb5e2abb9df67a6ded1b21f18cba86d2467263c3
SHA256a3dd9a199d0000bb310bebbefd3175bfbf7f188273123d05aa2f79da4be722b7
SHA51266ab99f4663d833d74da64603ec0a4fb82761b94446753c9e3639bae5ebc04cdb57c0b2cbb05854476f215102450968511ed5004001a9d2bb4d0cba089ad20e8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
5KB
MD5b36d2d8a6b457d563e92660f0a7b5c70
SHA129fd14cb7cd02ea75c13a2fc4c9c241a18a191d4
SHA256e41a073aae597b59e81bb6785c0deedf7753d02390509965ce08be63406d7195
SHA5124ca3de6db5b9934c275d1047be552a643fc36f616ab9d1aff3158ee1fd8195715b71fcbe330995ec80e339d2ee8a1532a1b0ca5a386b750e298c2a37129db279
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
5KB
MD5f7855027c72b9b0c8ba3b47ed22a1e28
SHA12385a64e99c143a0711fbde14aedd0f9fdc1d010
SHA2566f70cf6e3343f7c0d115482fca31a3bf779958c5aa4135e549cc9082ca26f7f1
SHA5124d52360dea953e05caf8aec75b1786436b3d1f6dc94596858639a02df22ea38a732a2ba5d6768bbe9e24712120e25e4ba3abfa88b26d435559a83c53e1ede4a6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
5KB
MD553a41e45386a919b92e609a9936a2a4b
SHA13d6038bb44398a9feeb0263c9d7f72c5b0982913
SHA2567771f372a5af81ca2f6188f926b41dbf5bf076f8fcc9863549b5d94a3bf6bba9
SHA512c5abfca532137a9bb9bba9a0976b8da0f7dea1efa844124957a51877e7a0d01941eae2e4d9eb312e4e2ff3831d682c8f78538a240ec1673d0fb538a820fd532f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
5KB
MD5824699ad8c3fb19424c97893b85e4895
SHA129f3e6c3aa08a5180576666a0e092079b102d113
SHA256a0419af43c7ce73c332c33629d6cfdab16b60c49bae847b9a166889903cb04ee
SHA5122e2eb3d70465a990b5ff2f07dd4ecb44dfd6071fb9bca301bf4011375abedfad16c90b296bda5cbb59109ae107067debc387afa989a1248e52ada35b47e8f2c9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
5KB
MD52d7d8ba1cb26e2a14564be8e50788aac
SHA13e217da31dae3b2800dcd2641bca720f7244bac3
SHA256aafbccc612b9e56376f1659453279e25abd3b19e39be6ea173e7ed7714ceccf8
SHA5128b8ea04a6b201be491a9248361286adcc42805cb60e6fffc4f9aaa6bb5b7aca54805a6f288490a979e917f7b39ca8a5480c46711c18809552d97dc042dd766c5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
5KB
MD5a24b026e50cb5791492de34fbc936cd4
SHA131c6b6d3fa1281e97853f92190865e9a18822659
SHA256977a7cfff46c216f63fe74848c86b6814d31fa1b0cdf88558a4c529dee74bbec
SHA5122534d9096ad9aaf2f7bb26735026f2144cc4ffc8b6f9b041c084451ff03b3a113553fe11a60ebfb54be8047058ac926260421f2c90a5433f136a019d75086971
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
5KB
MD5d1cb4b6ace5d7771b23f343418cf581d
SHA19a6de5531b1724524f069bd1c3a121e176492a98
SHA256abc5731fb40af9282c26706a45e38c8737de7289b1f54e171a3719953e3a5d95
SHA51291556869c3d390bc751ba565d2462bdd46c8fbde01d1637d0edf71f524971f6e0c4f6befe33088588233cc47e6df1280f243f25b1ed994b0a4f730ff2f40e7e0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
5KB
MD57169befca2f6e09dfcef72ad701763b7
SHA193a1debb1302b9f4c55e9b56c4482020505dc304
SHA2567e970ae33532e9bab802525c51ba9a259cbf99e1e1ed070c7a1c657da049bb3f
SHA5127e476b96fb6bdcc90cfa0c5697ccda73f231de45e70a58ff21c4a328cf2c368b101fb34aabfa41bf1253885a9cab1064a135f1c6017349fe1215e2c6841c2a5a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
5KB
MD50a5a8fafeedf2577dc7779e40c02b59f
SHA12c4b6aece8a6c3ce29d51f8d3b0fa2bde29d1332
SHA256fdc1fed31637aaefdc5770e0badb31e2bbffd32a203da349047643e7cb9b0c6a
SHA51248f1814f35fd076cb000be043d575b8ce0185c65d38ce8e0aed4dac354faa6676c1115832e4a907772ca3869eb81bb5abd126538f15a876fecba63ab8b366024
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
5KB
MD584ea66f3d34c62d05fc5ce06d4f7cbed
SHA1ae6fe1a7af672bf1817bc85fda15aee97984778e
SHA25617e1d2c3bdd749cb93cb792eae23db3ee71d02ed4a6e2abf99a8a88183b77856
SHA51206fcf2236c8ef69443e1579b9c39539ef8062da7f9ce36ce0e4fe731fb2977e141073f89e52babcb81ee9dd1a4efd1082140624796b0015ede937fe7b6028630
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
5KB
MD5b3e55d5e086b0a5529866a6c4552e8f3
SHA1bd1c98fd6fd264f27b1131cf190ec6f0c32d76fa
SHA256cfb2cb400337ac5836054c4822af68eb29c29402b6a5594e8d9e89651066d27f
SHA512acde2822c99fe1f00ca0a2d24d1fb0cc6190006418b4dbe40abd7d0c0bea8b5f0f5c1de9164b40b6764f14192a462796a3182e7f9ed420269456b874e1df63a9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
7KB
MD57f84b429cc22289a29d635d2ee087ad8
SHA12a688b2974b787d7cb314870e144aa9e55a96d2a
SHA256f3b5e14f3c9a43bba9587486d2ea193277eac4d4467b0a0ac88a65141a930356
SHA512f3442ca1a8450ee99fb0474defd4923eccf28c5eec7d0df97aea9557d4fdc1896214c8438a00a18f4c9c995563382b2bb79cc226cedf4fa9a933eff6b961ca64
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
8KB
MD5eab1d16a4783fdc8e8c8b6e25435c96e
SHA1c49e6135495872e6d71e82415cd1501e8fcd8918
SHA256890f269f6d4179e93c389b46b1627a6498a0c1018da7f648063e203a80f84554
SHA51244b120f8b4ac77fc7806b044922ccf2719083358371f4e4cafd574f4c0ceb2d7934a0c86e9c0a6118138f219c4a482c351855e84772c9cfb229dd2e5d07bc85d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
8KB
MD5a84e6e35b1301a072fe77997134a3484
SHA1646edcb775261ada5c266d19d60077d50304e64d
SHA2568b62e54b73924e6b5c227bf1a36d341447d5438e7a9d625db1ffcc448286aee3
SHA5129d657107c92db3df21831dbd901d6968a76152bc757cbfd9d4d3eb990e4e517f20259d6434e5438f499fcc62c7f441eb7066686599f3259cc93660b3c3e7cd5d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
8KB
MD5931e27aa7d0d495e8e9fced6030f9d44
SHA1af22811a5e0d4170dc4fce11c2f2eae9055c4cc2
SHA2569730c654ea17002363129306116d5162089ba43cff5c6f80b84dfdf8e916c384
SHA512326bab246243094b064cb1ab91421320102a1d27f6c6bec87af2511cf22f70de8271fac979a73eebe21a3aebfd1384e0e029f5809d8149990821f6734c80d788
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
8KB
MD54d98a3932115070fd9c74016ba2aa70f
SHA1f55346a4a701eed02f707f7450f7efcbf0ad27e9
SHA256a46baf37009ce1885a6a9520f84e61b6cc348f6133d1926095d7c55e62053119
SHA512b0b84de4cc83d259e37dbefdad95196144bc92d9ad2152871e0a84fac62b83bfaa7ecf55dffbfd4ae421d3ffc415e2e63beb711b379b2c002bee05cec145f088
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
8KB
MD55f27305f94b43c67ddf4ee651d3ece21
SHA141a474cbfa3229a8c7fed03ee9ef98d0349feabe
SHA2563988b022183d5ea9dd9bb2b9622e3b89252a77337ff227869f26f3e76de119ed
SHA51244e4ebd483b33b0e059f91bf6ba4cf11b8352779d30d8c7de97f680d7ca666d8fc27e8d5c041ce8fff610e4fc4d642c7759f3a26671a8a66e4cb06478e6ae915
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
8KB
MD5e7eb9b73645c04628842baed818f2ae8
SHA17882b2a49dded4e4803255aa1a161f677970dbe9
SHA256d24e553e10f4bf78ca010bceb51a48db86f2c42041ce31acfb635ca0b24d6440
SHA5128a867c4a934a00dc248b6a97b8ddc882c41438b8fcdc8fdd60fab1ca4b6764c924afa414eef0b085e441953d685f86f780eec7ade8ccf07c949de9683fe14e1e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD58f7b2238a5b636a6e03e7d906bc4f0d7
SHA15466670245ed846d4cb88bf98527c9688253286d
SHA25616bd481a256aa9bb8c08dbeab0534beaaca0d0655bb199155f26c87588a4c157
SHA51237beb757ee01d6640e95bb21723dcab1c22f6a0f87119cec7aa7aa4d14b3f6ce27133a9ddde74f3e44f8d0a8448a77f46b5c1773e9c55f84e45c8b0cf948c2a4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
8KB
MD5cc0cf53abc18a3fe11e77c51e9a00203
SHA1fa735793229f87d750793f98807af24c5fc2a953
SHA2561247aa25dc85749a4de5014834df3e0053ec0603646be2d2e015325b26651da2
SHA5129ebdf3c1cf312583fcc37603d7b90d61774c2559160fe20661ce73c694570de8b107f73c820ede243b25be4e49d107b48846f8cebbb15757af6cb64494444eff
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
5KB
MD5ddba391e3cfc8a9226cb6d33c392aec3
SHA1d1053eec6ba14651fa49463ff3e16131328958e9
SHA256363b7b4f44086e53e2931946b949c6aac141a0a4185b88a30c17580c0818f7f9
SHA512a6f6b3192b78657bafe81ba6d10bbe500d8a49fc824dd3319ed2616f38c6e96a5231f3bbe79f13f2cbb8c02ad5d828c9bf1db9dde5db804f1e7186d07f17a2be
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
8KB
MD5bc3200b562de6392dde3faefb6c12557
SHA1b094757afe2de51cac39c17c48c4c7f0e1e4598b
SHA25645c3b30d723c7eddbaf8d6608130ec881efd4ed50763644dfe076c07ee2cde30
SHA51248decee753f6d3a504da1715836e8434defe0404ebe8e844bb0c26a75a881fd3f069fdc0cd55bd9375886054b6de818991a03b1c20575eafe7f61b438b88ac2f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD565d029a3d06debced42be115cff6b11c
SHA11f253d93b68326abfe805bd7cf13a1ff56e42fac
SHA256b01af1eba09c16adfb50cc992410d27243c34270a8970aa77b985da674e59417
SHA5125dcb6ec9912293d48cac104c5cf4019075fce8ec06b6d95aeaaef264b83be75a5c3683352c878fe5240700a16cf758c6f29832c83a90971316eaa7f9bec7a1ab
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
5KB
MD52ddc89e107032ec5f8519d87ae25603c
SHA164b0c44f9e850e7b9b4c41a1699398f56a4a47c9
SHA2565e5eba9f48a7f10a480b66fcb326b2cd50183301cf8297f18b73a2e8a8b47f5f
SHA51296932d71fbb1554a23db8f4d48b5ac7168283384a69db7d6a8116b1592d4319a391359708954974e412beb350e553e92a04488c143cada0a52093a67685b1a4b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
5KB
MD5beac0f937329db95a655f7907d36d2fa
SHA1ee5e7683621a51ffaff1b51ccb17368bb3b17978
SHA256237c72a0364a3d9e5ec492c6fc25b19b406ba621283ccd111049917753496a9c
SHA512581c0cede0bc1bc69466ad0476c9b31166bb7629e3d0f71654618948a64a437f7046e6cc27855cd3ab34d2be927c2c67d42db4aae2cea86ea4f3426709d30b12
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
8KB
MD536aa4cdb069b10142e0245b3f71239c3
SHA12112a32d5051b9f22555734c3cd3c7e18c8fa638
SHA2560045c8a6cc06de317c669334fddad2182cc25b1ad6d0235a6f5aba8133dc73f4
SHA512ae5d145be46e89c2e61ef865bb033f1b49e481c6170bea2e77b757c3aafd857c7e3e058eb118128a5bbb4a59b91a6777e17b7cedf9b65dbfaab58a8adb96132c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
6KB
MD5205fe700620b6dc6747c860490675355
SHA10721d6d0ac7ec7285ab59a3e2c4346c93556968e
SHA256b0b38986b4cc161799d9560bc3db0cdb5851f44ab9e94f67630e025ae2e3cbad
SHA512bad5c3863abec05cbe586cd31c295b25c4b987b8d34093c8c8876cf37d89fad612877690313ebae01f2aa36e979efe616742995a89dfcb9b5d7715b7af1ec83c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
6KB
MD5f1b446f0fedde38256561c3489256b5f
SHA1d6a18c934fd68007388fc5d1a3a1a3459e9c6cc2
SHA256ef6161007a83dfbbe80c1a68b1d1213918936533af4a82f16db40c8760a9ba44
SHA5127fd8f1fb84ac42bb7bf56000b677a3c6572168c5ab5c98cdaaef991060d2af8e35444d7f49ceda95f5bf327d28551d237575acf59410a486d72558391efbd8f6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
6KB
MD57021a518f02c62e406f930fa83bd58b9
SHA198cd116ea7e30381f74bb2b8ae418c84d7711679
SHA256337901c22c78b747be508e22c63b22d955b1ff45d24e6c1bdfc8403147fd9c10
SHA512be821c28dc42377bbf927ec04521b6c0077100818cc33f49f41d5d27ec740c2712c3683623e0413c1fcf7f777de99c09c425a6a18af3aeaa5110f04328f59a6e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
8KB
MD59f8d64d16be04a026d867f69fc727247
SHA18138cc9fc8da64213b338d3867281d80a54b6e1d
SHA256eca23e9103c875c1120f89ea116c28515b947fd5b5d7e4c831e863f4826a0e30
SHA5129b9d7003a0a26a67a2de85d73c4789aed4bf54eb158d7051e099c861b5ee0f728334242bccbab5560cbf1cdf22fc8b41787a35d0a619115adb9f9ecf2b8badc2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
8KB
MD52fe7f75a034077784a4ff139e901f06e
SHA16dd6d58729c229388722f74d61ba855a5f736e34
SHA25652f5b65d125abfa99da37f2734ff4898250800024a92d044bf976596a134ed52
SHA51255a3c28e897771b92e10359971a981281a07842878ff2ebd56f55f138dda6090cb0734e9c75863a20b7c08915f0b1e05df081d0f6ce1c58a7a279bda533b99b4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD5be16a1f8eb57d5335e9f91fa4d833b54
SHA1cd4cc9e57a32c6d6255c3ce621c091b678415083
SHA2560eacf7bfd592c1d7d8a6a6b404530441c46550d6c79d81aa88a3616b11e3b74c
SHA512dd2182dbb52a1136e7ad5819c3bec878e74aef1af8a586b1cf7029485aa6e9a26d41c94c96c3b9368601935839fc1af883735b1802d6bc74d217d9bedca559e2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
6KB
MD55ceecabf72e84abc9755b10f594bbe46
SHA180a48942f34f25fd73b15ccc8eb9e270add70ea2
SHA256a58cbc018f326d1c5d087a35576c8a5d7c9b5b247e6526c6e15c561f6faeec3a
SHA512df41cbc743a893c09e7ba0f8a00cb321749ae37545ca783a4e7174803f0e28bbf7d6fb07d83c74f4dbf5c06e28260a29ffee7ba1573be5f769d8e5f08ce76e1c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
8KB
MD59ed7045eb78aee1df94436889edca1d6
SHA1b1851ae350bf37909326285701a16df8b54b216e
SHA256ed9ab406b7a1ee142e1ba8c01f19cd6d8e5cfe893cee8042eb05db713c5a54e5
SHA512b16b3820cdd2b41653169927377c87cfe4c717c790f2f3bdf3dc0e4feba4c1f5a68390bb5f089389980d4e6d5a5d88b3466b7901cb87b16149cf33259af5b756
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
5KB
MD59bb9fd2f45cdfded84db4e653f0dc11b
SHA19a3912418728db2ad16c28281c75bff9de23ca7d
SHA2567ffe7178b4326a59439e00b05478c3efafbda659ae228154438ed30860163de6
SHA512a99cbf5d30d18d54d59574707c4eb17495ef217d2356523044437cd5203eb3d69cd514bff9dd94ecbef2c2ab8f14ae2985e84506fd01e62b2d9f4cd1edf1be2c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
8KB
MD5462de5e42938ae9be7bebc1c33d636a8
SHA1a2d4534f6d24c6aeda347b810f70013cd6c45c78
SHA25615dca6c8c8d617b53dea4cf0bb9252f5ccf9372648875cc8c58b0fff1839dc2c
SHA512942ff2b9533a7bce1afe8e0991668b38d84ff23ffddc82e286b230fff01ac0a5a44fc279f4c2ced6d6deda9a64ea0410d95f2994a9f36ce8907ea59f5468b670
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
5KB
MD51c084c113dac9b04eb19be67f0c3cbb6
SHA1cb41552dea837ad072af84eb3dd78fe8d368a3c2
SHA2562a365fc05a202375a4afc441c533f0c6e4e26238411f6211e3b1cd4fe771ca7a
SHA51244f4580187cafd16f1b942acd432be2667553c0607a42bb979c121dc4996506c15a5a4db552b401876a76ed37f78bd1104d752e510558798a569d953985b1013
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
5KB
MD5dad98f0d73bab1efb981ab54f80fc681
SHA1d13f5460d584e56c2e615f17c6d51cacdd1ec7e7
SHA25681bec62bc4625221673b9c527e6ea002ddc7d62142f91dea2158cda31d4629f0
SHA5123080d938c02aae18a99e6b777164e4b3a86ecf5091a224ef468e56191b268ff1f870aee5b20704c84d2c6a8aa373f442bdf5255e44c2237df0d549667fefdcbf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58e961.TMPFilesize
1KB
MD587c8f91f06f0d6518b8d8f784a5f48c0
SHA1909b6be155836550d402f3b4867f09a40ad5dbf8
SHA256d23ee0d47ffd8de63bc65d6d0530046524584c1b2f6515cd3f523f2d937b9316
SHA512b9c56aa4f619b9e450a953a829ac2344cbf53f26466644c3c6dc1f85463f53a55a35e09336e7e44ed0fb18ef18acf25da492f475c9473f3cacc61a97b22fb820
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\5f576a50-50e2-4330-88d3-a3dfa33be567\0Filesize
14.0MB
MD5f84c0ea6a6e1dbb5b868969bd2419e19
SHA1c4e6af4ade3feb8e611d8fa129ff3629f628440d
SHA2565357e54b6c8e0f62275deeda72198535c5c64547695581e43cf5b25909b5902a
SHA5124447987f0f7de2bdcc4d1796a35e7338ff27425552c9b6e9eb247dfc48990c734540c58fedb79688002d9922e2bce358a7096568284331ba7ddf7df61de94054
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f2eb2ad1-3f71-4e36-a044-5f41329c9ed6.tmpFilesize
6KB
MD57ad2272ea57f3daa03826bb7459e685c
SHA1ace30c12ebf9b99683472140cf678718097bccb1
SHA256d8857b9bcf7c4d778e274a97c6617bdb0fb9a5235ed556ba5f3317c05602dfcd
SHA51218ae3ffde612e7a75ef40fe64e87f347bae664d2ce65e964a0d4faadc0b097c720e2074217cd09185d8bb8b74294e4bae204bedc8a02ecff8a12f9a79374d2bb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5131b46bc9b895fcdf4896523e53f3fb4
SHA1a21b99e5d3c537e1b6cf414e8d3516c95f0172a1
SHA256a2ccee9add67f098b514742facff4cbf876a00001c58a20485e30d8fcbcb0fd4
SHA512ab42e5c9d43fdc24eb0c76ec2ebedd9d75881a9ecb51cb3d12f16358e5868a597ac0489de20908220bf95439d3546aa98a679a1dc311b5cf9fbd24608ba14baa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5c1d23c53fecaceb74626b82ab10f3429
SHA1859fe0340a99fc8172381ad55941798de27416b4
SHA256d0a56ad994af02416d7aa1ba41cdac3ce0d0fd4efb13fb8b506368e1dd88ef63
SHA5125390a1d62a09f5477499a08a777912fc87f6335e02a729085c24b115bd588e9b8d1f9dd4eed46c23650479233e13fe5be8059e0e71434574808d642a762017be
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD563a5563421a6373dc7f4e83babbeed5e
SHA18ed8ca58c034f98bae3394f07b3c67f9c076ad6d
SHA256165009e61b4b4b87e09119f203fa914be77c2b6946c372090e3dd3ca4df4ed7d
SHA5129154e692ace9e62f93540aed7842056b40d120b2b442ba3d2f77fbfee193c2f73fd688fdd1c2f503f304dfdfbc83b65d6ff4cb0dfd782106beaae1cb2a5db540
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD595f585453f0e99dfbed83d8b211801de
SHA151664561ad0fa1654fef4c7b30100f67326dc3d7
SHA25616136e639660fecb05a34e00550de22cfe177cd2a04c0c5c4f2c4567ef9a8139
SHA51279742319cc71e0791594802cf52d4cdab7fd7f332792a1730f81a5169c4406d44fbca2969b770ddabf1d5d99d62af8e3ebbb65c6df1bc2e613b68a71758a44b4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5d180cdcb654618514d3f7b2766efd6eb
SHA17d775c4d8ccb530dae2dc08c7c1ba347bd489990
SHA256738376823c091121b8d0fc2652e10483859994bc44a8565e1f7fa2e271def5c5
SHA5127ee566c616b7d066d68cef81417dfae0581be3cba256b4e9e6b221ebe20c01cab8c6e3f591f40ca385beae0813838ca9a3dec96a2ce37498c8d6b1eb17a3ca26
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD52d55d14f834c756a1bcc5721975a642a
SHA1d516144f748ef0a0ae44d83f4bd9653bec75d143
SHA25610b8b190e8ee7d7d41f1e43e8afda8a06da5067efd30534b7969f7d597c66353
SHA5127a14eac0805e1ce938ddd65af862ced101a51845b124e7ad68dd7ebe6cfcc1d10675b5f35a1dea0137fb01e061b61ec88fa0691e47a29b8d0ac0cbf1097ad0db
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD57494f4b56d838d59b64b419788b48e90
SHA1f14469326f9568d3552820a9a151a8d9af92d992
SHA256bec2d668ccc9f4d2dcf90b38ba7ebd00744e778b655396558051115755aad2c2
SHA5126d096da6dbf782c330f6369746e3525c3102cc08fafb56d93d73c0f5649f913f14c7ffbd2359808391172bdedbe7698b1188f1d39683beb1ba370bffbe83b1e2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD562d99abdea598a43e6c18be0f2496ca7
SHA18ff3b9fab2cda87fe00734e0d4d0c3a2350c789c
SHA256cb5427d66ad4efffcdadc384159430aa5c1f811b915a1c93e4e7a7fb87d75796
SHA51280d85bca717cbc5b49a37accbe6bee8fc754a3d8bab6ffd77f7e7c0d592bf637ec28d8c12a2c7d0c201799e39d7095c747d9de7a0bf4970e6405f9e2b04c61c4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5bc5969413515c8b242973d16667706c7
SHA1b2e1cf67bfde13515e3464b507e1711cf3911f3c
SHA25628d5429af47c08cc75f6f9fd28fdd4d9072aa18a06fee2151513cc2f5392ef9c
SHA512b63dff797845a140220fb958058825ccf2ebacbfc86b6e3105b524e97d6785d9e00e28545f118f89f99130f302eb674c3e0248917221ba91c3d2a2653c57df59
-
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdbFilesize
640KB
MD529a9bb7557dc4c8a2e8dc006794c4e0e
SHA1e70a4674e87e466cab5d3e9c1850f64bd3466317
SHA25648fb43c7614f3dbeddb811cde46f6874f855e7605ceb41dc3c93637e23a9c071
SHA51224bff0694725015441060e5fdf21450814e15b2f3dfd5674d776ac4d78d74994e3a68c49e933dd850ad9c3b2a1f808ea26c59c4fd07bb84f5c8dbc8b67d6be23
-
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XMLFilesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
C:\Users\Admin\AppData\Local\Temp\SS4yXHdF14\Browser\cc's.txtFilesize
91B
MD55aa796b6950a92a226cc5c98ed1c47e8
SHA16706a4082fc2c141272122f1ca424a446506c44d
SHA256c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c
SHA512976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad
-
C:\Users\Admin\AppData\Local\Temp\_MEI28762\VCRUNTIME140.dllFilesize
96KB
MD5f12681a472b9dd04a812e16096514974
SHA16fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA5127d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2
-
C:\Users\Admin\AppData\Local\Temp\_MEI28762\VCRUNTIME140_1.dllFilesize
37KB
MD575e78e4bf561031d39f86143753400ff
SHA1324c2a99e39f8992459495182677e91656a05206
SHA2561758085a61527b427c4380f0c976d29a8bee889f2ac480c356a3f166433bf70e
SHA512ce4daf46bce44a89d21308c63e2de8b757a23be2630360209c4a25eb13f1f66a04fbb0a124761a33bbf34496f2f2a02b8df159b4b62f1b6241e1dbfb0e5d9756
-
C:\Users\Admin\AppData\Local\Temp\_MEI28762\_asyncio.pydFilesize
34KB
MD5b42a92003d73446d40da16e0f4d9f5ee
SHA13742fb1b2302864181d1568e3526aa63bd7db2c5
SHA2566b12b8a4a3cdc802e53918ad30296fb4c9da639595463eb6249406e9256ffaa3
SHA5127fd42f1aa5c96fcc1f5ed7289d4f9a1845174e47112dfa95ebbb23e22ab7ef93ad537f1b5dc9415ba78d71a84bcbeac35d9f27f202c4cd81d855907e1d90f91c
-
C:\Users\Admin\AppData\Local\Temp\_MEI28762\_bz2.pydFilesize
46KB
MD581578115dd99002ccdd4095b1152db1b
SHA1e497a0761f2ac9eeba50e78e2d2f4c2349babcf2
SHA25627b6bf8412d7b660939f31aeedd87585878470b7586a4361f0dccdadd7d64b45
SHA512b468f71b15cf92164cee6b81bd840864d1d795b86ba3fb33317c4ec89959d5f10b62530a4edf8960e93741af54500a062c0713ab3a0d9ff929e6389633538796
-
C:\Users\Admin\AppData\Local\Temp\_MEI28762\_cffi_backend.cp311-win_amd64.pydFilesize
71KB
MD5c1cd1d53ddfe5033a341f0c2051c4357
SHA1b205344ada67dc82d208baf2d6b9cda4a497abea
SHA25644381ffef40a5e344ca951de08f13fb4e25096c240d965acfaa47221b9f9ef52
SHA512d4f509cfb8fa1f044ff4b0b55c5298ead40fd635cfb5a6c7d779a66eeb5f52d3e30a5b3e61507f2891e9ef1070e0c8eea1b698b680048fbb7cb5f15f4e26d309
-
C:\Users\Admin\AppData\Local\Temp\_MEI28762\_ctypes.pydFilesize
57KB
MD587e8cc70c59737ce8e248a35550086e6
SHA1082b43a944ca3739602d0edf96e37784d32fc509
SHA256e8a40dfc0d412329d8192d78bcd3d12199ef3551b61dcfa3eb852f86ac49a493
SHA512d418f1cf437f4dd8797bedc7b909d2433ea03fecaadb34135db13d0eb34b9b16aedd1c340c4a5670fb05df420636a83ab704c0432a605cf5e95e9ebe87ef2a2b
-
C:\Users\Admin\AppData\Local\Temp\_MEI28762\_decimal.pydFilesize
104KB
MD582ae89cf9d47eda296253e6a4b3bacd8
SHA15b593f3d8afe484b0afec866643b26b14cfef05b
SHA2565dbd333752ed7a1767c8b67d3a6d36ff141b8752dfbdd70386341b4f55fae3dd
SHA512245c6fd4a64c17e7936ad9a84299a7f5c4ef93ac2b1dcb86cccb10a7d51e443c3afd47822eb3962d37292015c34cef76f394c41b680b154ed18223b2e20c32f0
-
C:\Users\Admin\AppData\Local\Temp\_MEI28762\_hashlib.pydFilesize
33KB
MD544288ccbdf7e9b62b2b8b7c03257a8e8
SHA1fe70c375cc865a5abcee331c069d4899604cfe1a
SHA256d7cd29693e5632ee2e91b1f323b8eb5c20b65116e32c918a42c0da6256d83f9d
SHA512ab517968ac5662221cb0b52d17a05211c601af17704c625c2f6d4fbce33b20f26a041a86707450297f1f3a4384589223cd8be7a482a7c37a516a2957dade0aac
-
C:\Users\Admin\AppData\Local\Temp\_MEI28762\_lzma.pydFilesize
84KB
MD5351034ddaaf1234458e65b90c4189eb3
SHA1246dc4c5011f9cb2b0c85e453f9276190a1b6c6e
SHA2563af3703e458370997679dca6c2241a1fa1c799248c4e092e614e2c103690d23b
SHA51218f110d73cf876638b72e2a877059f52e4cef4e2c2ff877b1bdd21747364f9f5a339a6d349a941e0a0fefa98e3e34ce5689a66caa1378f3c3ebcdf607a87eb13
-
C:\Users\Admin\AppData\Local\Temp\_MEI28762\base_library.zipFilesize
1.4MB
MD583d235e1f5b0ee5b0282b5ab7244f6c4
SHA1629a1ce71314d7abbce96674a1ddf9f38c4a5e9c
SHA256db389a9e14bfac6ee5cce17d41f9637d3ff8b702cc74102db8643e78659670a0
SHA51277364aff24cfc75ee32e50973b7d589b4a896d634305d965ecbc31a9e0097e270499dbec93126092eb11f3f1ad97692db6ca5927d3d02f3d053336d6267d7e5f
-
C:\Users\Admin\AppData\Local\Temp\_MEI28762\libcrypto-1_1.dllFilesize
1.1MB
MD55ce966f78ba43eaccd0cc578ac78e6d8
SHA1565743321bfd39126616296816b157cd520ba28f
SHA256d47d421807495984d611c6f80d3be0d15568bce8a313df6a97cd862ba0524a0d
SHA512204e54c2d45ef92d940c55f37dbc298e8861c3654ae978582637120d29ff141c184c7ec1b8658aeaa8341d8bf9157ad29b6f6187d5c8a019b56e3b7643037a04
-
C:\Users\Admin\AppData\Local\Temp\_MEI28762\libffi-8.dllFilesize
24KB
MD5cf6316144d6f3b5884f423b1ac6c3907
SHA16e05f6b2772230a8a7636fa5db81958fba5b28d4
SHA2564022e7cf1dab9d68511b7235aa3a26aacf267ff23c30319f59b351b058691dc4
SHA512f411aaacdbbd3b2aaf1c969c697b281c00922c43e7b4dee2c1f237f468bbf273f455bc11820c2ad0289efaa2f525920bcfa63d503e089322cc232717f8ad9d77
-
C:\Users\Admin\AppData\Local\Temp\_MEI28762\libssl-1_1.dllFilesize
203KB
MD55bdcdfe8f74e6b1022224daea45e00dc
SHA11519130c894561067c5e146129ad9026da6a8f4d
SHA256bfe8550987814eb740d4dc8321a52fc97582166541395bb802307b96a151baac
SHA512276f4dac162fedc95a6a3924d7939ac9754a6738c0a487dc17ae1c148a7960fa47fd356f8bbff1c903624b1d631f5bbc27e7e51da0a79c99342be935eb5b8c1f
-
C:\Users\Admin\AppData\Local\Temp\_MEI28762\pyexpat.pydFilesize
86KB
MD5562cfdd2aea820c6721e6e1c6de927eb
SHA1bdbf3f8b92a2eb12b8134be08a2fcd795a32ef25
SHA256250b2e7962e2533bdc112346bbc5c5f66a574af0b87e18f261f48ef8cee3f1a5
SHA51224df40a620fba22c5c0e3230bfb0eff617a905e134fe810a60020bd8db42032d848ebf5034267f181918cab8f754f826d4e17cb461b45a32ea59ded924a4d0e4
-
C:\Users\Admin\AppData\Local\Temp\_MEI28762\python3.dllFilesize
64KB
MD534e49bb1dfddf6037f0001d9aefe7d61
SHA1a25a39dca11cdc195c9ecd49e95657a3e4fe3215
SHA2564055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281
SHA512edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856
-
C:\Users\Admin\AppData\Local\Temp\_MEI28762\python311.dllFilesize
1.6MB
MD5527923fc1de5a440980010ea5a4aaba1
SHA1ab2b5659b82a014e0804ab1a69412a465ae37d49
SHA256d94637faaa6d0dbd87c7ad6193831af4553648f4c3024a8a8d8adf549f516c91
SHA51251a67b02e49a36d11828831f334f4242dfa1c0ac557ed50892b5a7f4d6ff153edab5458c312e57d80ed1b40434037c75c9e933ccbf4a187ec57685bdb42cdfb6
-
C:\Users\Admin\AppData\Local\Temp\_MEI28762\select.pydFilesize
24KB
MD59897d23e1dd3ebb9706d922160986806
SHA10e319352d8e7d4c3e68392b78417867dfcbaa41f
SHA256d0a86b39b06741b3628211a5740d9b5a4719cd75b8876967776d6e4d433cf41d
SHA51225bfa6cec4897094165d99fa888796897510c0ecaa05fae2992b469a7e035832b0c68789b9ca16e84a86cc09278a814539fdc5ec0b89f5efd66e61628cc165e8
-
C:\Users\Admin\AppData\Local\Temp\_MEI28762\sqlite3.dllFilesize
608KB
MD520eb3b9f1713fc51d7b5fc7847786963
SHA1d74ac2a3eaa387bd6698289a74622f0e7c2eb65d
SHA2566edb12716ffbbbb17a5414c9366d66ebfdb172981261f7ca5be57cc81de57ebc
SHA5127b566c98b1de0037ca0e3fb92a4e7b7338ed474a7e07789c544fc652cd24cff0c5c5b0856d4c95bbe46b59cdd942df49fa8a9322cdfa2777c148a9db805ed0f9
-
C:\Users\Admin\AppData\Local\Temp\_MEI28762\unicodedata.pydFilesize
293KB
MD5dbd7fc132fc99e953dffc746d996bc0d
SHA1b8dfa120d81a6ec16bd152f84defbb3e2778f30b
SHA256c2a740708514d5be94e69db82a82c82df7fc82cee4bd066249d6adce833a8656
SHA512ce4fa63de7abbef0b28f6fe80fcff64211c650695a7f54eb1a3bb9fd8d8d11174e2ffc9c34b7e8176b4d6cac1eadff3e25e4be1d58e9646f546b3b2afa3f7721
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4xu4pal2.nxg.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\Desktop\chilledwindows.mp4Filesize
3.6MB
MD5698ddcaec1edcf1245807627884edf9c
SHA1c7fcbeaa2aadffaf807c096c51fb14c47003ac20
SHA256cde975f975d21edb2e5faa505205ab8a2c5a565ba1ff8585d1f0e372b2a1d78b
SHA512a2c326f0c653edcd613a3cefc8d82006e843e69afc787c870aa1b9686a20d79e5ab4e9e60b04d1970f07d88318588c1305117810e73ac620afd1fb6511394155
-
C:\Users\Admin\Downloads\DesktopBoom.exe:Zone.IdentifierFilesize
55B
MD50f98a5550abe0fb880568b1480c96a1c
SHA1d2ce9f7057b201d31f79f3aee2225d89f36be07d
SHA2562dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1
SHA512dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6
-
C:\Users\Admin\Downloads\Melting.exeFilesize
12KB
MD5833619a4c9e8c808f092bf477af62618
SHA1b4a0efa26f790e991cb17542c8e6aeb5030d1ebf
SHA25692a284981c7ca33f1af45ce61738479fbcbb5a4111f5498e2cb54931c8a36c76
SHA5124f231fc16339d568b5cf9353133aeae835eb262dab68bc80d92f37b43df64dce4fae0e913cbaa3bb61351a759aeecf9d280bc5779b0853c980559a654d6cca11
-
C:\Users\Admin\Downloads\ProSwapper-0.9.8.tar.gzFilesize
2.0MB
MD572be4b4f8bd128fe880484a9cacefeab
SHA1e6221b1fa1481d99780f4188adc2f490753ae950
SHA2564de9c6cd3b12bcf4b3922a555818c444f8e948eaeab8768de50a954301a0b708
SHA5121e9271aab7d33e8d7d2613cfc54f87973f0ee5e589750a5bde0e37539beefb32fd7e57e7019580d18a832170eec2d5bb4934bf5fe050891d7748e4a99b163d31
-
C:\Users\Admin\Downloads\ProSwapper-0.9.9.zipFilesize
2.2MB
MD57647b0a8763e678bbef1260302a31ff2
SHA1a90e8e4a29e24c6eb6108fd7d9426969c2606932
SHA256ef7d312d0b30729c1d89147a2c1a95b30fd27d1e80341be0c8d57c0ae6d1c11b
SHA51213f03b9875e4e00cc3dbcc120f060661efcb9b91fb54c498692c50a334f4f07c071a5b4e52b0e844efc9f6b5fde77d7e8ccb91bfbd2c9c20ff0ec233c56ede85
-
C:\Users\Admin\Downloads\Saturn\Saturn.exe.WebView2\EBWebView\Crashpad\settings.datFilesize
152B
MD564efdda71b8d5c897a76fd2a7d2e6f2d
SHA19b6563d2b7c9e9dad4b3d8be87c723bcdf6ef6e7
SHA256a0e13cba1fa0e4098779bc625574c8e7aece67bfe2a47db67df9e6c2f6a2d27b
SHA51257ef6c802ab380d0b1413e7768dd64b324f248f078ee6ddcd4ab02aee1c204259373b25a0be3d83787c493ba337097b595fc8ae205f10bed46e6619ccafef669
-
C:\Users\Admin\Downloads\Saturn\Saturn.exe.WebView2\EBWebView\Crashpad\settings.datFilesize
152B
MD5d56a5281c6bf4ad250403f61b6a067f5
SHA1d7f89d8f51ed8699291058438683ef1b66cc4803
SHA25636f1b0cff87f8965ab275f75ce6ff648ac077ed9e6c6a0f9e99d26e2fe3ceefe
SHA51263feb89f94a7f3e5a2af62da8b662e1406640cea703b50d9abdeeae81f79d7873665b8da3e8dc0ae9d480db268f23fcfb7a300960578f871e850575b124f4efb
-
C:\Users\Admin\Downloads\Saturn\Saturn.exe.WebView2\EBWebView\Crashpad\settings.datFilesize
152B
MD509b1092b3df1a4fea26b48942446910c
SHA1b006b6bea8109f599c8308a6d08bf77ce5756114
SHA2561174729d8d1b8becb617d1b71729b5465812c090ad4e589f04f1908afe3a71be
SHA512a0b909e0c458508d71aebd1046828089d44b59a81143b2155c9c62336e4b75a6ae2bf4afe8e49192c65c6794168d1d751e3426ce9798b8b16665fec8f78a8bca
-
C:\Users\Admin\Downloads\Saturn\Saturn.exe.WebView2\EBWebView\Default\6587a634-babd-4a4d-a7d5-f7b01d5b1cd5.tmpFilesize
1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
C:\Users\Admin\Downloads\Saturn\Saturn.exe.WebView2\EBWebView\Default\Cache\data_1Filesize
264KB
MD52a4998eb93bf3f716a8c98fc6239130d
SHA103377132cba6a41ec5989b26aabc9e6afd34aed6
SHA256a5571c0f6a33cddb71c97ff59693e3317ab282defd81f6f08d87bd7e912b61f4
SHA512b946fc3c799e8a04bf46d33cf4d079954acad197d483702c6faf1b23f7fc2438418ade21174634db71251594b9bf9e2f9fadf5ff1bce66fa342517c0bca46313
-
C:\Users\Admin\Downloads\Saturn\Saturn.exe.WebView2\EBWebView\Default\Cache\data_2Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
C:\Users\Admin\Downloads\Saturn\Saturn.exe.WebView2\EBWebView\Default\Code Cache\js\index-dir\the-real-indexFilesize
48B
MD50b40b8fa0b93d4e6344dc3ac88268cee
SHA185d6e8d2ff5c98f8eccca229076e8ef894b78607
SHA2560e1f3456b4a03d58221c9f8bd4cab85195017a25afbf6cbf72365e82bea4b48c
SHA51264fb401b4a8c72807eb1681c7030ad005fa65e5b055a48812cd2fd3aafbb027e51ff6e6e2a612f347875c4849e6329b5457897432061b71bdb222ebd9c8eb47b
-
C:\Users\Admin\Downloads\Saturn\Saturn.exe.WebView2\EBWebView\Default\Code Cache\js\index-dir\the-real-indexFilesize
144B
MD52f57e94272ec87d16b892c27cd91161a
SHA1c9f4063722ea42ef63750baa774943143ace5c00
SHA256fc17da9bec523809fc231d302431ce1d844ef1f4f61a3fab8f72779a0051def2
SHA51292a42db394b2c1e581bb8b3a9b6fadb0437cf816093ea2cb33519202e2492d1d78a711a4cbafb9230bd9aa9128a1291c5f9ca0aeefa3d837f65892fd41d2f807
-
C:\Users\Admin\Downloads\Saturn\Saturn.exe.WebView2\EBWebView\Default\Code Cache\js\index-dir\the-real-indexFilesize
144B
MD5d0dbb2d272152ac2d3ade22096d3f355
SHA1f47e5e19fa038b821652e5e997a80b19281ee3dc
SHA256cb77e1956431a11676d8abf3340c59c4b0cd5aa4c2c93160d09556c3c42e37b5
SHA512ea149624451dcfb802fc7c8834be5825c22b30ef5be35366e858260991a5547814f7917221a0ac2df14f20f1d36af2a3bdcffa9f69ecd84858b2c0d539a8d5e4
-
C:\Users\Admin\Downloads\Saturn\Saturn.exe.WebView2\EBWebView\Default\GPUCache\data_0Filesize
8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
C:\Users\Admin\Downloads\Saturn\Saturn.exe.WebView2\EBWebView\Default\GPUCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\Downloads\Saturn\Saturn.exe.WebView2\EBWebView\Default\GPUCache\data_3Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
C:\Users\Admin\Downloads\Saturn\Saturn.exe.WebView2\EBWebView\Default\Local Storage\leveldb\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\Downloads\Saturn\Saturn.exe.WebView2\EBWebView\Default\Network Persistent StateFilesize
494B
MD5a9221ec80dcf0bbaa53167c729b7bb02
SHA11feaec86873150bf3b2dbcaa9dda37ec8cf78881
SHA2564b729826e65038b94ad23a215ee86b420bf0b8d05a55fca55ecb205aced85b22
SHA512452cef46649b7666ef12292d1961b5e101fce1e125e9e128d3c0449a08349b1ab8e30589eb8461a342cf5a9e3e40c40bafde889d9792b50764cf8db6c53f9c66
-
C:\Users\Admin\Downloads\Saturn\Saturn.exe.WebView2\EBWebView\Default\PreferencesFilesize
4KB
MD57a9224c15ef7c5c42e99270df0ce4294
SHA1370a996ed72aa88fcc71082cfb6649e47abbafad
SHA25617a2ddce023f58edde3ad6ac2588a5eb31a29f04eb1ebe25997c044233588a05
SHA51204229009c86310e094b0df0448e1dba2233bf786d371cc84ccd64a2803c3958335bfee919ea8f27afdf4a5acafbee439c3c9c3d6a93be85853d127b313771f5c
-
C:\Users\Admin\Downloads\Saturn\Saturn.exe.WebView2\EBWebView\Default\TransportSecurityFilesize
370B
MD5d12d31f6c2989b1cd5715a9fa052de9d
SHA184e21c082a7fe5e675f4d0e59d452e085de49003
SHA2560252ccfca17a30c0879c60bef706b0122f6c4a6e04c8392b8816b97e803dbf6e
SHA512dd43daabd50c6bd9f2ab091278a22d08146e634b517e1855562e1c1c4293ca1bb436abf21145b5ad5e429f751ec213d177b8d0be90a944b7930497fc02e11d23
-
C:\Users\Admin\Downloads\Saturn\Saturn.exe.WebView2\EBWebView\GrShaderCache\GPUCache\data_0Filesize
44KB
MD52d7477dbd4e994c0931d7265421bf025
SHA163fda3ac68c86f39e41dcd11fd2f73ae37c5ba09
SHA25613a66170c45afbac2dce1672df7f41eada772eb6900c3a072d3b0d887843bf2a
SHA512985f3d9c3fe1808c240e5fa457b431ec5df090d067f57da70f28a8f8bc37d6574d2deb67617a61bec3585fa3da1266b10def866d0bc23c2d77c54390fa1c9982
-
C:\Users\Admin\Downloads\Saturn\Saturn.exe.WebView2\EBWebView\Local StateFilesize
8KB
MD54fe9c3b031848715d184e4ea56295434
SHA1cc74f420bc136331e12520ac28f08a0ea6ca9e4b
SHA256bc958add9236e7fb0c111993289d696c6d6eb5eeb4059978f8e7b9ed6aa3276c
SHA5125eec524ff1430b48e6a987c8daca305523096f744f4c9a7086638fd89f58cecf2cda8c571402e4335053d673f0fb1e265d979a164e995d241d59a9d475547199
-
C:\Users\Admin\Downloads\Saturn\Saturn.exe.WebView2\EBWebView\Local State~RFe5d44ad.TMPFilesize
8KB
MD5d9037fde9581018d1bc901e38f57acce
SHA1d4cc7aca233e8d8984c8d762b4fe0b5511e38cf5
SHA256077b4e0155234019ac556529fc0b3a0e33685de8e0a48238a1947921d09df583
SHA512ba01e7214fa78c3143125e8afaa18d7daa2d468601a433d865c1a8a7e84a4c830a2075d996e9b20f4130bc8b11e45b75f95a6f92df76efdc13c46811ab36f9ef
-
C:\Users\Admin\Downloads\Unconfirmed 240087.crdownload:SmartScreenFilesize
7B
MD54047530ecbc0170039e76fe1657bdb01
SHA132db7d5e662ebccdd1d71de285f907e3a1c68ac5
SHA25682254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750
SHA5128f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e
-
C:\Users\Admin\Downloads\Unconfirmed 325979.crdownloadFilesize
68KB
MD5bc1e7d033a999c4fd006109c24599f4d
SHA1b927f0fc4a4232a023312198b33272e1a6d79cec
SHA25613adae722719839af8102f98730f3af1c5a56b58069bfce8995acd2123628401
SHA512f5d9b8c1fd9239894ec9c075542bff0bcef79871f31038e627ae257b8c1db9070f4d124448a78e60ccc8bc12f138102a54825e9d7647cd34832984c7c24a6276
-
C:\Users\Admin\Downloads\Unconfirmed 476261.crdownloadFilesize
1.0MB
MD5055d1462f66a350d9886542d4d79bc2b
SHA1f1086d2f667d807dbb1aa362a7a809ea119f2565
SHA256dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
SHA5122c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
-
C:\Users\Admin\Downloads\Unconfirmed 511769.crdownloadFilesize
1.1MB
MD5f0a661d33aac3a3ce0c38c89bec52f89
SHA1709d6465793675208f22f779f9e070ed31d81e61
SHA256c20e78ce9028299d566684d35b1230d055e5ea0e9b94d0aff58f650e0468778a
SHA51257cdb3c38f2e90d03e6dc1f9d8d1131d40d3919f390bb1783343c82465461319e70483dc3cd3efdbd9a62dfc88d74fc706f05d760ffd8506b16fd7686e414443
-
C:\Users\Admin\Downloads\Unconfirmed 833379.crdownloadFilesize
19.0MB
MD549a07e8a22e05bcc2b1a4c158fa546b1
SHA189a05f681de4159cc4a02064c585730116256523
SHA256e5772b4e2d28405fb7b3bd201ed9cc59fb3b13f76e97a9f682607e9d02248770
SHA5126dae2c02da7005140914deccb50a7f03c02d609f0e37ee30aa31a536b7f3ccdef71d0873867cf913468172e876d4026956bdff1e822c0e09455e417172ab98c7
-
C:\Users\Admin\Downloads\Unconfirmed 965993.crdownloadFilesize
4.4MB
MD56a4853cd0584dc90067e15afb43c4962
SHA1ae59bbb123e98dc8379d08887f83d7e52b1b47fc
SHA256ccb9502bf8ba5becf8b758ca04a5625c30b79e2d10d2677cc43ae4253e1288ec
SHA512feb223e0de9bd64e32dc4f3227e175b58196b5e614bca8c2df0bbca2442a564e39d66bcd465154149dc7ebbd3e1ca644ed09d9a9174b52236c76e7388cb9d996
-
C:\Users\Admin\Downloads\xoro-service-fns.exe:Zone.IdentifierFilesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
\??\pipe\LOCAL\crashpad_4864_QBWIPBVHTSWZKRQOMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/548-3396-0x000001506D430000-0x000001506D452000-memory.dmpFilesize
136KB
-
memory/696-9452-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/696-12762-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/696-9490-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/940-6847-0x000001F4AAE00000-0x000001F4AAEAE000-memory.dmpFilesize
696KB
-
memory/2772-6469-0x000001DB29F40000-0x000001DB29FEE000-memory.dmpFilesize
696KB
-
memory/2972-6849-0x00000223B5100000-0x00000223B51AE000-memory.dmpFilesize
696KB
-
memory/3488-6587-0x000001DDAC950000-0x000001DDAC9FE000-memory.dmpFilesize
696KB
-
memory/5220-3292-0x00007FFF437C0000-0x00007FFF437D5000-memory.dmpFilesize
84KB
-
memory/5220-3369-0x00007FFF43B60000-0x00007FFF43C18000-memory.dmpFilesize
736KB
-
memory/5220-3450-0x00007FFF43C20000-0x00007FFF43CDC000-memory.dmpFilesize
752KB
-
memory/5220-3452-0x00007FFF45100000-0x00007FFF4512E000-memory.dmpFilesize
184KB
-
memory/5220-3453-0x00007FFF43B60000-0x00007FFF43C18000-memory.dmpFilesize
736KB
-
memory/5220-3454-0x00007FFF437E0000-0x00007FFF43B55000-memory.dmpFilesize
3.5MB
-
memory/5220-3457-0x00007FFF43770000-0x00007FFF43793000-memory.dmpFilesize
140KB
-
memory/5220-3459-0x00007FFF435D0000-0x00007FFF435E8000-memory.dmpFilesize
96KB
-
memory/5220-3460-0x00007FFF43560000-0x00007FFF43574000-memory.dmpFilesize
80KB
-
memory/5220-3461-0x00007FFF58620000-0x00007FFF5862B000-memory.dmpFilesize
44KB
-
memory/5220-3462-0x00007FFF43530000-0x00007FFF43556000-memory.dmpFilesize
152KB
-
memory/5220-3463-0x00007FFF43410000-0x00007FFF4352C000-memory.dmpFilesize
1.1MB
-
memory/5220-3465-0x00007FFF57CD0000-0x00007FFF57CDB000-memory.dmpFilesize
44KB
-
memory/5220-3466-0x00007FFF51240000-0x00007FFF5124B000-memory.dmpFilesize
44KB
-
memory/5220-3467-0x00007FFF4CD20000-0x00007FFF4CD2C000-memory.dmpFilesize
48KB
-
memory/5220-3468-0x00007FFF4BFA0000-0x00007FFF4BFAB000-memory.dmpFilesize
44KB
-
memory/5220-3464-0x00007FFF433D0000-0x00007FFF43408000-memory.dmpFilesize
224KB
-
memory/5220-3470-0x00007FFF48500000-0x00007FFF48524000-memory.dmpFilesize
144KB
-
memory/5220-3471-0x00007FFF5B5A0000-0x00007FFF5B5AF000-memory.dmpFilesize
60KB
-
memory/5220-3472-0x00007FFF4CEA0000-0x00007FFF4CEB9000-memory.dmpFilesize
100KB
-
memory/5220-3473-0x00007FFF45AB0000-0x00007FFF45ADD000-memory.dmpFilesize
180KB
-
memory/5220-3474-0x00007FFF451B0000-0x00007FFF451E5000-memory.dmpFilesize
212KB
-
memory/5220-3475-0x00007FFF45190000-0x00007FFF451A9000-memory.dmpFilesize
100KB
-
memory/5220-3476-0x00007FFF5B4F0000-0x00007FFF5B4FD000-memory.dmpFilesize
52KB
-
memory/5220-3477-0x00007FFF45AA0000-0x00007FFF45AAB000-memory.dmpFilesize
44KB
-
memory/5220-3478-0x00007FFF45160000-0x00007FFF4518E000-memory.dmpFilesize
184KB
-
memory/5220-3479-0x00007FFF433A0000-0x00007FFF433AC000-memory.dmpFilesize
48KB
-
memory/5220-3481-0x00007FFF43390000-0x00007FFF4339B000-memory.dmpFilesize
44KB
-
memory/5220-3482-0x00007FFF43380000-0x00007FFF4338B000-memory.dmpFilesize
44KB
-
memory/5220-3483-0x00007FFF433B0000-0x00007FFF433BC000-memory.dmpFilesize
48KB
-
memory/5220-3484-0x00007FFF484F0000-0x00007FFF484FC000-memory.dmpFilesize
48KB
-
memory/5220-3485-0x00007FFF43370000-0x00007FFF4337C000-memory.dmpFilesize
48KB
-
memory/5220-3486-0x00007FFF45610000-0x00007FFF4561C000-memory.dmpFilesize
48KB
-
memory/5220-3487-0x00007FFF450F0000-0x00007FFF450FC000-memory.dmpFilesize
48KB
-
memory/5220-3489-0x00007FFF43320000-0x00007FFF4332C000-memory.dmpFilesize
48KB
-
memory/5220-3490-0x00007FFF43090000-0x00007FFF43313000-memory.dmpFilesize
2.5MB
-
memory/5220-3491-0x00007FFF43360000-0x00007FFF4336C000-memory.dmpFilesize
48KB
-
memory/5220-3492-0x00007FFF43350000-0x00007FFF4335D000-memory.dmpFilesize
52KB
-
memory/5220-3494-0x000001C48BA20000-0x000001C48BD95000-memory.dmpFilesize
3.5MB
-
memory/5220-3495-0x00007FFF43080000-0x00007FFF4308A000-memory.dmpFilesize
40KB
-
memory/5220-3496-0x00007FFF43050000-0x00007FFF43079000-memory.dmpFilesize
164KB
-
memory/5220-3493-0x00007FFF43330000-0x00007FFF43342000-memory.dmpFilesize
72KB
-
memory/5220-3488-0x00007FFF433C0000-0x00007FFF433CE000-memory.dmpFilesize
56KB
-
memory/5220-3480-0x00007FFF45130000-0x00007FFF4515B000-memory.dmpFilesize
172KB
-
memory/5220-3440-0x00007FFF43CE0000-0x00007FFF442C8000-memory.dmpFilesize
5.9MB
-
memory/5220-3455-0x00007FFF437C0000-0x00007FFF437D5000-memory.dmpFilesize
84KB
-
memory/5220-3456-0x00007FFF437A0000-0x00007FFF437B2000-memory.dmpFilesize
72KB
-
memory/5220-3469-0x00007FFF435F0000-0x00007FFF43763000-memory.dmpFilesize
1.4MB
-
memory/5220-3429-0x00007FFF43770000-0x00007FFF43793000-memory.dmpFilesize
140KB
-
memory/5220-3361-0x00007FFF437E0000-0x00007FFF43B55000-memory.dmpFilesize
3.5MB
-
memory/5220-3362-0x00007FFF43360000-0x00007FFF4336C000-memory.dmpFilesize
48KB
-
memory/5220-3363-0x00007FFF43350000-0x00007FFF4335D000-memory.dmpFilesize
52KB
-
memory/5220-3364-0x00007FFF43330000-0x00007FFF43342000-memory.dmpFilesize
72KB
-
memory/5220-3365-0x00007FFF45100000-0x00007FFF4512E000-memory.dmpFilesize
184KB
-
memory/5220-3366-0x00007FFF43390000-0x00007FFF4339B000-memory.dmpFilesize
44KB
-
memory/5220-3367-0x00007FFF43380000-0x00007FFF4338B000-memory.dmpFilesize
44KB
-
memory/5220-3368-0x00007FFF43370000-0x00007FFF4337C000-memory.dmpFilesize
48KB
-
memory/5220-3448-0x00007FFF58990000-0x00007FFF5899D000-memory.dmpFilesize
52KB
-
memory/5220-3372-0x00007FFF43080000-0x00007FFF4308A000-memory.dmpFilesize
40KB
-
memory/5220-3373-0x00007FFF43050000-0x00007FFF43079000-memory.dmpFilesize
164KB
-
memory/5220-3370-0x00007FFF43320000-0x00007FFF4332C000-memory.dmpFilesize
48KB
-
memory/5220-3371-0x00007FFF43090000-0x00007FFF43313000-memory.dmpFilesize
2.5MB
-
memory/5220-3352-0x00007FFF57CD0000-0x00007FFF57CDB000-memory.dmpFilesize
44KB
-
memory/5220-3353-0x00007FFF45610000-0x00007FFF4561C000-memory.dmpFilesize
48KB
-
memory/5220-3354-0x00007FFF450F0000-0x00007FFF450FC000-memory.dmpFilesize
48KB
-
memory/5220-3355-0x00007FFF433C0000-0x00007FFF433CE000-memory.dmpFilesize
56KB
-
memory/5220-3360-0x000001C48BA20000-0x000001C48BD95000-memory.dmpFilesize
3.5MB
-
memory/5220-3356-0x00007FFF45AA0000-0x00007FFF45AAB000-memory.dmpFilesize
44KB
-
memory/5220-3358-0x00007FFF433B0000-0x00007FFF433BC000-memory.dmpFilesize
48KB
-
memory/5220-3359-0x00007FFF433A0000-0x00007FFF433AC000-memory.dmpFilesize
48KB
-
memory/5220-3357-0x00007FFF43C20000-0x00007FFF43CDC000-memory.dmpFilesize
752KB
-
memory/5220-3347-0x00007FFF433D0000-0x00007FFF43408000-memory.dmpFilesize
224KB
-
memory/5220-3348-0x00007FFF51240000-0x00007FFF5124B000-memory.dmpFilesize
44KB
-
memory/5220-3349-0x00007FFF4CD20000-0x00007FFF4CD2C000-memory.dmpFilesize
48KB
-
memory/5220-3350-0x00007FFF4BFA0000-0x00007FFF4BFAB000-memory.dmpFilesize
44KB
-
memory/5220-3351-0x00007FFF484F0000-0x00007FFF484FC000-memory.dmpFilesize
48KB
-
memory/5220-3346-0x00007FFF45190000-0x00007FFF451A9000-memory.dmpFilesize
100KB
-
memory/5220-3305-0x00007FFF58620000-0x00007FFF5862B000-memory.dmpFilesize
44KB
-
memory/5220-3307-0x00007FFF43410000-0x00007FFF4352C000-memory.dmpFilesize
1.1MB
-
memory/5220-3306-0x00007FFF43530000-0x00007FFF43556000-memory.dmpFilesize
152KB
-
memory/5220-3297-0x00007FFF435D0000-0x00007FFF435E8000-memory.dmpFilesize
96KB
-
memory/5220-3298-0x00007FFF43560000-0x00007FFF43574000-memory.dmpFilesize
80KB
-
memory/5220-3291-0x00007FFF43CE0000-0x00007FFF442C8000-memory.dmpFilesize
5.9MB
-
memory/5220-3293-0x00007FFF437A0000-0x00007FFF437B2000-memory.dmpFilesize
72KB
-
memory/5220-3294-0x00007FFF43770000-0x00007FFF43793000-memory.dmpFilesize
140KB
-
memory/5220-3295-0x00007FFF435F0000-0x00007FFF43763000-memory.dmpFilesize
1.4MB
-
memory/5220-3296-0x00007FFF48500000-0x00007FFF48524000-memory.dmpFilesize
144KB
-
memory/5220-3211-0x00007FFF45100000-0x00007FFF4512E000-memory.dmpFilesize
184KB
-
memory/5220-3212-0x00007FFF437E0000-0x00007FFF43B55000-memory.dmpFilesize
3.5MB
-
memory/5220-3214-0x00007FFF43B60000-0x00007FFF43C18000-memory.dmpFilesize
736KB
-
memory/5220-3213-0x000001C48BA20000-0x000001C48BD95000-memory.dmpFilesize
3.5MB
-
memory/5220-3208-0x00007FFF45130000-0x00007FFF4515B000-memory.dmpFilesize
172KB
-
memory/5220-3206-0x00007FFF45160000-0x00007FFF4518E000-memory.dmpFilesize
184KB
-
memory/5220-3207-0x00007FFF43C20000-0x00007FFF43CDC000-memory.dmpFilesize
752KB
-
memory/5220-3205-0x00007FFF58990000-0x00007FFF5899D000-memory.dmpFilesize
52KB
-
memory/5220-3203-0x00007FFF45190000-0x00007FFF451A9000-memory.dmpFilesize
100KB
-
memory/5220-3204-0x00007FFF5B4F0000-0x00007FFF5B4FD000-memory.dmpFilesize
52KB
-
memory/5220-3202-0x00007FFF451B0000-0x00007FFF451E5000-memory.dmpFilesize
212KB
-
memory/5220-3174-0x00007FFF43CE0000-0x00007FFF442C8000-memory.dmpFilesize
5.9MB
-
memory/5220-3185-0x00007FFF5B5A0000-0x00007FFF5B5AF000-memory.dmpFilesize
60KB
-
memory/5220-3184-0x00007FFF48500000-0x00007FFF48524000-memory.dmpFilesize
144KB
-
memory/5220-3190-0x00007FFF45AB0000-0x00007FFF45ADD000-memory.dmpFilesize
180KB
-
memory/5220-3189-0x00007FFF4CEA0000-0x00007FFF4CEB9000-memory.dmpFilesize
100KB
-
memory/5664-6848-0x00000212B1000000-0x00000212B10AE000-memory.dmpFilesize
696KB
-
memory/6536-6588-0x00000253F64D0000-0x00000253F657E000-memory.dmpFilesize
696KB
-
memory/6536-6352-0x00007FFF66450000-0x00007FFF66451000-memory.dmpFilesize
4KB
-
memory/6936-9471-0x000000001C9A0000-0x000000001C9D8000-memory.dmpFilesize
224KB
-
memory/6936-9470-0x000000001C2D0000-0x000000001C2D8000-memory.dmpFilesize
32KB
-
memory/6936-9472-0x000000001C970000-0x000000001C97E000-memory.dmpFilesize
56KB
-
memory/6936-9453-0x0000000000EB0000-0x0000000001314000-memory.dmpFilesize
4.4MB
-
memory/7124-9455-0x000000001C210000-0x000000001C6DE000-memory.dmpFilesize
4.8MB
-
memory/7124-9456-0x000000001C780000-0x000000001C81C000-memory.dmpFilesize
624KB
-
memory/7124-9457-0x00000000015B0000-0x00000000015B8000-memory.dmpFilesize
32KB
-
memory/7124-9454-0x000000001BC90000-0x000000001BD36000-memory.dmpFilesize
664KB
-
memory/7124-9458-0x000000001C980000-0x000000001C9CC000-memory.dmpFilesize
304KB