hxxps://github[.]com/Nexus-Mods/Nexus-Mod-Manager[.]git

Analysis

max time kernel
1793s
max time network
1685s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 05:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Nexus-Mods/Nexus-Mod-Manager.git

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
536	NMM-0.87.0.exe
224	NMM-0.87.0.tmp
2020	Eulen.Installer.exe
5636	Eulen.exe

Loads dropped DLL 2 IoCs

pid	Process
224	NMM-0.87.0.tmp
5636	Eulen.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
34	camo.githubusercontent.com

Drops file in Program Files directory 50 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\eulencheats\Eulen\Discord.Net.Commands.xml	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\Discord.Net.WebSocket.xml	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\icon.ico	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\Uninstall.dat	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\System.Collections.Immutable.xml	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\Discord.Net.Commands.dll	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\Newtonsoft.Json.dll	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\System.Numerics.Vectors.dll	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\Eulen.exe	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\Eulen.exe.config	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\System.Runtime.CompilerServices.Unsafe.xml	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\System.Threading.Tasks.Extensions.xml	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\Microsoft.Extensions.DependencyInjection.Abstractions.xml	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\System.Collections.Immutable.dll	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\Discord.Net.Interactions.xml	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\Discord.Net.Webhook.dll	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\Microsoft.Bcl.AsyncInterfaces.xml	Eulen.Installer.exe
File opened for modification	C:\Program Files (x86)\eulencheats\Eulen\Uninstall_lang.ifl	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\Discord.Net.Webhook.xml	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\Microsoft.Extensions.DependencyInjection.Abstractions.dll	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\System.Buffers.xml	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\System.ValueTuple.xml	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\System.Interactive.Async.xml	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\System.Runtime.CompilerServices.Unsafe.dll	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\Debug\svcchhost.exe	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\Discord.Net.WebSocket.dll	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\System.Memory.xml	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\System.Reactive.dll	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\System.Interactive.Async.dll	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\Newtonsoft.Json.xml	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\presetforinstallforge.ifp	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\System.Buffers.dll	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\System.Linq.Async.dll	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\Eulen.pdb	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\Uninstall_lang.ifl	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\System.Memory.dll	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\System.Threading.Tasks.Extensions.dll	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\Uninstall.exe	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\Discord.Net.Core.dll	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\Discord.Net.Interactions.dll	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\System.Numerics.Vectors.xml	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\System.Reactive.xml	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\discord-rpc-w32.dll	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\Discord.Net.Rest.dll	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\Microsoft.Bcl.AsyncInterfaces.dll	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\System.ValueTuple.dll	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\System.Linq.Async.xml	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\Discord.Net.Core.xml	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\Discord.Net.Rest.xml	Eulen.Installer.exe
File created	C:\Program Files (x86)\eulencheats\Eulen\spoofer.exe	Eulen.Installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\discord-1199093351111213136\shell	Eulen.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\discord-1199093351111213136\shell\open	Eulen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\discord-1199093351111213136\shell\open\command\ = "C:\\Program Files (x86)\\eulencheats\\Eulen\\Eulen.exe"	Eulen.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\discord-1199093351111213136	Eulen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\discord-1199093351111213136\URL Protocol	Eulen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\discord-1199093351111213136\DefaultIcon\ = "C:\\Program Files (x86)\\eulencheats\\Eulen\\Eulen.exe"	Eulen.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\discord-1199093351111213136\shell\open\command	Eulen.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-200405930-3877336739-3533750831-1000\{E54E1D5D-11E6-4913-8870-90D27B94F902}	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\discord-1199093351111213136\ = "URL:Run game 1199093351111213136 protocol"	Eulen.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\discord-1199093351111213136\DefaultIcon	Eulen.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 697479.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 422656.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2268	msedge.exe
2268	msedge.exe
4416	msedge.exe
4416	msedge.exe
3692	identity_helper.exe
3692	identity_helper.exe
2248	msedge.exe
2248	msedge.exe
3868	msedge.exe
3868	msedge.exe
4112	msedge.exe
4112	msedge.exe
5636	Eulen.exe
5636	Eulen.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5636	Eulen.exe

Suspicious use of FindShellTrayWindow 58 IoCs

pid	Process
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
2020	Eulen.Installer.exe
2020	Eulen.Installer.exe
5636	Eulen.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2020	Eulen.Installer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4416 wrote to memory of 5036	4416	msedge.exe	89
PID 4416 wrote to memory of 5036	4416	msedge.exe	89
PID 4416 wrote to memory of 3620	4416	msedge.exe	90
PID 4416 wrote to memory of 3620	4416	msedge.exe	90
PID 4416 wrote to memory of 3620	4416	msedge.exe	90
PID 4416 wrote to memory of 3620	4416	msedge.exe	90
PID 4416 wrote to memory of 3620	4416	msedge.exe	90
PID 4416 wrote to memory of 3620	4416	msedge.exe	90
PID 4416 wrote to memory of 3620	4416	msedge.exe	90
PID 4416 wrote to memory of 3620	4416	msedge.exe	90
PID 4416 wrote to memory of 3620	4416	msedge.exe	90
PID 4416 wrote to memory of 3620	4416	msedge.exe	90
PID 4416 wrote to memory of 3620	4416	msedge.exe	90
PID 4416 wrote to memory of 3620	4416	msedge.exe	90
PID 4416 wrote to memory of 3620	4416	msedge.exe	90
PID 4416 wrote to memory of 3620	4416	msedge.exe	90
PID 4416 wrote to memory of 3620	4416	msedge.exe	90
PID 4416 wrote to memory of 3620	4416	msedge.exe	90
PID 4416 wrote to memory of 3620	4416	msedge.exe	90
PID 4416 wrote to memory of 3620	4416	msedge.exe	90
PID 4416 wrote to memory of 3620	4416	msedge.exe	90
PID 4416 wrote to memory of 3620	4416	msedge.exe	90
PID 4416 wrote to memory of 3620	4416	msedge.exe	90
PID 4416 wrote to memory of 3620	4416	msedge.exe	90
PID 4416 wrote to memory of 3620	4416	msedge.exe	90
PID 4416 wrote to memory of 3620	4416	msedge.exe	90
PID 4416 wrote to memory of 3620	4416	msedge.exe	90
PID 4416 wrote to memory of 3620	4416	msedge.exe	90
PID 4416 wrote to memory of 3620	4416	msedge.exe	90
PID 4416 wrote to memory of 3620	4416	msedge.exe	90
PID 4416 wrote to memory of 3620	4416	msedge.exe	90
PID 4416 wrote to memory of 3620	4416	msedge.exe	90
PID 4416 wrote to memory of 3620	4416	msedge.exe	90
PID 4416 wrote to memory of 3620	4416	msedge.exe	90
PID 4416 wrote to memory of 3620	4416	msedge.exe	90
PID 4416 wrote to memory of 3620	4416	msedge.exe	90
PID 4416 wrote to memory of 3620	4416	msedge.exe	90
PID 4416 wrote to memory of 3620	4416	msedge.exe	90
PID 4416 wrote to memory of 3620	4416	msedge.exe	90
PID 4416 wrote to memory of 3620	4416	msedge.exe	90
PID 4416 wrote to memory of 3620	4416	msedge.exe	90
PID 4416 wrote to memory of 3620	4416	msedge.exe	90
PID 4416 wrote to memory of 2268	4416	msedge.exe	91
PID 4416 wrote to memory of 2268	4416	msedge.exe	91
PID 4416 wrote to memory of 4564	4416	msedge.exe	92
PID 4416 wrote to memory of 4564	4416	msedge.exe	92
PID 4416 wrote to memory of 4564	4416	msedge.exe	92
PID 4416 wrote to memory of 4564	4416	msedge.exe	92
PID 4416 wrote to memory of 4564	4416	msedge.exe	92
PID 4416 wrote to memory of 4564	4416	msedge.exe	92
PID 4416 wrote to memory of 4564	4416	msedge.exe	92
PID 4416 wrote to memory of 4564	4416	msedge.exe	92
PID 4416 wrote to memory of 4564	4416	msedge.exe	92
PID 4416 wrote to memory of 4564	4416	msedge.exe	92
PID 4416 wrote to memory of 4564	4416	msedge.exe	92
PID 4416 wrote to memory of 4564	4416	msedge.exe	92
PID 4416 wrote to memory of 4564	4416	msedge.exe	92
PID 4416 wrote to memory of 4564	4416	msedge.exe	92
PID 4416 wrote to memory of 4564	4416	msedge.exe	92
PID 4416 wrote to memory of 4564	4416	msedge.exe	92
PID 4416 wrote to memory of 4564	4416	msedge.exe	92
PID 4416 wrote to memory of 4564	4416	msedge.exe	92
PID 4416 wrote to memory of 4564	4416	msedge.exe	92
PID 4416 wrote to memory of 4564	4416	msedge.exe	92

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Nexus-Mods/Nexus-Mod-Manager.git
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb18af46f8,0x7ffb18af4708,0x7ffb18af4718
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,5653366546979747056,1222390770913109343,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:3620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,5653366546979747056,1222390770913109343,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,5653366546979747056,1222390770913109343,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5653366546979747056,1222390770913109343,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:1252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5653366546979747056,1222390770913109343,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:1688
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,5653366546979747056,1222390770913109343,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5764 /prefetch:8
  2⤵
  PID:2004
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,5653366546979747056,1222390770913109343,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5764 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5653366546979747056,1222390770913109343,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,5653366546979747056,1222390770913109343,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5440 /prefetch:8
  2⤵
  PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2124,5653366546979747056,1222390770913109343,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5252 /prefetch:8
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,5653366546979747056,1222390770913109343,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4156 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2248
- C:\Users\Admin\Downloads\NMM-0.87.0.exe
  "C:\Users\Admin\Downloads\NMM-0.87.0.exe"
  2⤵
  - Executes dropped EXE
  PID:536
- - C:\Users\Admin\AppData\Local\Temp\is-GVR3U.tmp\NMM-0.87.0.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-GVR3U.tmp\NMM-0.87.0.tmp" /SL5="$701F8,35554080,832512,C:\Users\Admin\Downloads\NMM-0.87.0.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5653366546979747056,1222390770913109343,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1
  2⤵
  PID:5548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5653366546979747056,1222390770913109343,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
  2⤵
  PID:5652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5653366546979747056,1222390770913109343,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:1
  2⤵
  PID:5660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5653366546979747056,1222390770913109343,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:5844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5653366546979747056,1222390770913109343,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
  2⤵
  PID:5852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5653366546979747056,1222390770913109343,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3724 /prefetch:1
  2⤵
  PID:6004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5653366546979747056,1222390770913109343,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
  2⤵
  PID:5136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5653366546979747056,1222390770913109343,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6316 /prefetch:1
  2⤵
  PID:216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5653366546979747056,1222390770913109343,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
  2⤵
  PID:5484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5653366546979747056,1222390770913109343,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2224 /prefetch:1
  2⤵
  PID:5504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2124,5653366546979747056,1222390770913109343,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2736 /prefetch:8
  2⤵
  PID:3236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2124,5653366546979747056,1222390770913109343,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6156 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5653366546979747056,1222390770913109343,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6720 /prefetch:1
  2⤵
  PID:3500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5653366546979747056,1222390770913109343,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3760 /prefetch:1
  2⤵
  PID:5732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2124,5653366546979747056,1222390770913109343,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5916 /prefetch:8
  2⤵
  PID:5856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,5653366546979747056,1222390770913109343,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6984 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4112
- C:\Users\Admin\Downloads\Eulen.Installer.exe
  "C:\Users\Admin\Downloads\Eulen.Installer.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,5653366546979747056,1222390770913109343,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6668 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2628

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1428

C:\Program Files (x86)\eulencheats\Eulen\Eulen.exe
"C:\Program Files (x86)\eulencheats\Eulen\Eulen.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\eulencheats\Eulen\Eulen.exe

Filesize
297KB

MD5
5f309ab77cc425d8954b7c25cab3b78d

SHA1
c7a0a97edaf12122128551d7e10dc95e956c04e5

SHA256
a9aa89e3ff1c3f5b02086d69b78971c83c75a85a4ce938f390c27c1cc5b69c59

SHA512
720399d8e91fcfbb7f307396559afa91c0403af36695810d7b96da41ceabb0371156e4b437ef9963a60a2ca12ba182f7c727c0eb0e14fefea38e22562ffa9b40

Download Submit
C:\Program Files (x86)\eulencheats\Eulen\Eulen.exe.config

Filesize
2KB

MD5
b1f9d66ef005aa3c83b4325d19eddfc7

SHA1
02fab54210b73330fc29fbb88cbf1f67238398f9

SHA256
54cf3144f875a8c6554a51b6fa1915fa85e37eb7ad2dbceab7b1fcafe5f9d099

SHA512
818081bda201b816e03e4f2d1db7b2588b190e85b8974d0801544c2c6ccca04768efffd446e9eebb9a4fc2f3bd91d9d5defc56bdb83ec0e41bb9e7e8d761f031

Download Submit
C:\Program Files (x86)\eulencheats\Eulen\discord-rpc-w32.dll

Filesize
289KB

MD5
a1c35901ad26a30c5b7836771b6badff

SHA1
94a57cd3452a53c209323a1ce738b9f0fb0d6087

SHA256
517240600b04d454cc5ab7b03e43c4af5a0b831fd2515f25c015a83652ad4cac

SHA512
0af73788858e85df874cc232f5d31765648ffbf53d7fdf388fc1b619f44b9ca172c3ac92c983cbeec5d22b6692cd7d3f20734c8e759fe9cf53ac2671d9c1d5e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\7e1466d4-8fc9-4ec0-97f5-c3975fe8b02a.tmp

Filesize
11KB

MD5
8e98ab90b111e137599b85f03829d2b3

SHA1
6308b46c89ced06f442dc5ddac21828784193fc5

SHA256
4f7aeaa1ad4a792b751d111248ad1e6c24919cd228f812a94fa25525c4363092

SHA512
dccc75f70e4b435a9a557f121d64519e302722b5e56620126513d667581102f6a926c0b0ece6c5de6987c7857b3f9bf92e9f37b45752130ad6de0421c6b26ba3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
257c0005d0c4d0bb282cb470925e4376

SHA1
f9b8efb511ed64292568977c9f2ec255509e8f7d

SHA256
8185c36aaacfc71e42f94fad8e198fe7fb2d868398ceabb89261cae94341cb22

SHA512
2f3e8f352ed3ef88e8c28650390f93f98c92174d268330b886f3ebd1ba0163999051298ee12a054606b4986005452a241c6864cd292e69492d79c37d500556f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4819fbc4513c82d92618f50a379ee232

SHA1
ab618827ff269655283bf771fc957c8798ab51ee

SHA256
05e479e8ec96b7505e01e5ec757ccfe35cb73cd46b27ff4746dce90d43d9237c

SHA512
bc24fb972d04b55505101300e268f91b11e5833f1a18e925b5ded7e758b5e3e08bee1aa8f3a0b65514d6df981d0cbfa8798344db7f2a3675307df8de12ae475b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
5045aed25b08a1c532bc684b087f3bdf

SHA1
73b6ada6349e891c96b621874901e7f83ae25ec8

SHA256
55a274019ce7b7718109bd78a270cb20f7f0a80993f8755d085a76aa2aa5ce74

SHA512
06241c5da30adf7d2c2c893aff36763340b7ea61af09fd6c7ea9eaeb78a5474e94e949243fe3397e5458d6e022f8bc3d867f37db5b8ba9d1fc51c465cba15b05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
dc9d0d5922439e82077a1feaba6583d4

SHA1
c5d23e148b5248d514f855bf42a182227f55cae4

SHA256
2d887b3b7623b6c189a50da87123ee0487b217ef5fa6d013b9e235eaa29aaa17

SHA512
599959fb10511e5173f2d9a3eae19f0f40e5ee25faba928737bdd407629e92dfd1b14bc79b3c23b77c86630af34b2e3ab3d4593c682db639d59d4f58dba056f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
566B

MD5
ba0f63d2228e1e0e06359dc7c097be69

SHA1
83651e4b9ab1bd5d35778eb102dcd42e2a23b1be

SHA256
76ed36969a43d0ce6c5e145af498f370ab0f3cf4de0c798e1f7421cf0070c90d

SHA512
5bf3ba91e41f911ae817d49e0821975f36f7f31a23d6b0e47e5b6cfce31880829e16a444d6f4ca85af39b449cc188d49757b8fd54b6aafa723dde19a6a0bc861

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
784B

MD5
b8979b65e1335b87a213456e3293d909

SHA1
b9b3471d94f6e7e8e155e7ec676d64c3461a1edd

SHA256
d58e47eb8c9ef43bb15b77a9d8b4fbacde95b928839546015ce840c65936ba64

SHA512
e47a5ef660222bce68c9b26d8fff2caee047ed4136a77c25f593ed4baef2cf785082a7f372e2f248822f1afb82b91273ab9ce19e25d6bdcecdee5907dd6045f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5189780abb5679624c21913318498053

SHA1
0906a0ab224fd08da611c262b5e19ea522b1af55

SHA256
37bd6ea2f322bf25005c28fb6efcec68f2b77c74a76d0d988ba7b264e3d4f2df

SHA512
aa5c6bcc4eafe8438817610c4327cdecfca8311988fe0c6e38cfc7aa98eecb05e830013842695d7337d7fb565dc0d22b619d593fe9a75ce730c5ffa1a48a4f83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a4fb7e7910abef7be3d3d668ea60dbe6

SHA1
b00b6f12829e75c5e2ce4c0786fae81d1d1d3aa2

SHA256
933053cb50eb834155743da20cb5ba34c4f0ed2de87e48065b7833ef89b94af3

SHA512
929fa822c1cb6cfa646c1170fdf0d7800d8a33c6e293b2053f09b0c4d7e02dfe84d5ba04e928c7442fd992d314f3823f884e6450fde95865bc3b015902576bd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
78ccb412d95519aa43a8792b644ed890

SHA1
c902b71e39b4567326683d5b91e82d771545df77

SHA256
0baeeff7c74ca8c747b24edcfa0bac6028299da57ef1c697ebd056c604c4b604

SHA512
e213ac2d20863955d42bb3101db5dbf81cedd497e4a577f8511243cd99c125d98edd7ab2efd4fba0f328b6ce1e8d23419019ba153a08ab9ff38d9f6ca064b3a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
991b9d9252986403e942fbcbebd29b9f

SHA1
8e23350833e02126ce28eb2e16aff9eb100b9f83

SHA256
e703ac2ddc717c8e86ad36eb388cb4fc81bcfb216e4d685552bcd929b5faa530

SHA512
4224544402061a77178b9b85c994b99ffa33aea1ee4454f8b48e198a117a34734d9f588a9dc2f43f732ce15ccb34ee6d11d1e1472693803efed0a0303c1b08ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7acbd8530799616cbc9d2172339bf4f5

SHA1
cd2da30ef87f02c8fdb4313a58c01f6181cba9f3

SHA256
16a27a22221ad0624a9968f6d8ec73c2256aaac5cfd950b7ea021291f7fe7bc7

SHA512
cb80e98c082923a42f690f30e01b563438e80bbe6df0c879c01a62037da94f38a926920ac1c018e1cce6d88a5c17c744498b60b96b016022cc28ccb99c627456

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
52c03d193d5bed07fee1ed8f379685bb

SHA1
2c98208b3cfe75dacf781f373b6a28eebe42bb31

SHA256
c5a38eddbeb7119aaa8cd83e3fe51677b3f8804e10866ea664c9b99f3513f195

SHA512
9907232e1d3b6e5d946dd8e0e33e73d9d893ec4b144e7c6709b2005d58e7be3adc0efb5fac42b4f5bdca481ceb46695ae4005480f8360a6b24e9f4588cf1942d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
95cd1581c30a5c26f698a8210bcab430

SHA1
5e8e551a47dd682ec51a7d6808fe8e0f2af39e86

SHA256
d58162c5ae5e18fc06604c285e024c01686093d70994dc93b4ae9d85b4c3f7b9

SHA512
e49403df10177053634c431203a91d26df5dfb23cbbb88847459ecdf4b6107040d0944a3e84ee6bb26cb4e8017a35c8c31b658387cd1b6938ba4cb9f59606ece

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
166d115b6b8011e815bcc14c270a7bd2

SHA1
ebb074febedc4d9b3f91f47d2c8db2b14acdefaf

SHA256
66191a2887a0ff3cae04e78d71203382afe80018501cdbcccb13929a0c193eff

SHA512
fc99dc2bde7e87e4834e883577813a29d0417218be3b71bca178d35e224d75d15d4781a5eeda9ae7096626cebeaa4647d9916f72ed1ffe0281d396ad032657e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6a75853f02282575bb0a64414d63da35

SHA1
d4d207597b899c06141d8df6c22fafc94d2d5205

SHA256
ecd4e1c1f4f8320f753210456969db1e17fdea94f8609ec92df79c4995537875

SHA512
d0b2da764ff9cabd5fb90d02ae84fa0d1ad70956e7279c26f3f6f721996c12e57d2470ba99003c35bdd8b184a6331dba2cecba102720d46bc38fc752fde7149c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0845910a44c224938ca5218fe12fea86

SHA1
070f763895597fe37f7e1b67090895414a7da3b4

SHA256
111a703725cc53d16b88d59e98c816e506abe73e9891a12f15ee7e102e0e856e

SHA512
3d2be179b2b3c57b8fba8adaba2b4501a8338eb61afef9c8478f6918de1bd3964d41c3f8b1ebab54263a2a333825e060638ae28c95cf3bd76d5b3c912ce7a2a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
74d43259d49b5f7d53beaac2a8f2edc7

SHA1
0abb8bea06d02e5f47a62f593b07e599debbe019

SHA256
65ef317060d03757465498c14d4f4608443dd537cb84fb525f5d52bf88ff8254

SHA512
09bb9343859634da17e0db249d6a89797892840a927e37146317bbdb8d2e7f2cc34fbf07141b2cdaee2e92e835064f4353e7daa953f74d89a7ba0c210f3036ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58626e.TMP

Filesize
1KB

MD5
5c3f3aa6e9579b28d854a2487b27a927

SHA1
8ab9db38b5c222c8c3c2170c516f819f5eeb5b41

SHA256
2ed168702ed3a8b2137cf9014497fd0923bd46ac16672d6d6cc44dc0485cab3d

SHA512
89f31b82fb92d6f317ec733e8a5b07fbac7c2362c226e430bb06cc5d228e07e9445e046ac0e5ade377c2299180d169cef103439dc9c49d615e9d5aa5c093937b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
79de0743d6b6a40597e9af5caff2e6b2

SHA1
89590faa50ff7e8029bb1dfa8b107ab2dd0d216c

SHA256
3f722b433d35af383967e80985eaf37d5add6e6b406b5835d1c3d72f21800a2f

SHA512
10b2ddf2a81a5399e969765138a06315b674b996c6586fac22b1e1470f66cdfb0e906ff144d787ad31f0624ea6fc58da1f2b89dd23a2fb91552715b0eefff3ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
08781a8d8b284b84d219b8f0f35a552e

SHA1
4be3d78bfcd08e61a3e000a6eebe53b29e5eb1ee

SHA256
10589ac9c4d49c90b8e6b43222b261d863ce7f506a03cda30aa783ef04483f79

SHA512
4a1b9b94f1364239767cd403f76babcc151107a2579f21ccdf9a5d782cf8574b4fe8a412219757d8222bef8849c2fae4d6c54c023c378db8ba04acc6ad334166

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1877ac4d2426cc66dbc8e7c5f85cca50

SHA1
08145b41263d36ad22033484488448e31cc6ffee

SHA256
de3a7b6b8ecc6e5cc17a78ef48ad42388dda55c59c415560e5ba2d672f3061b4

SHA512
a60c3e8891a5b97928c70ebb09c1d968d93f76201a7e4d5104e8c0c26eafb469d55c54c880158eeaf37bae216874c15ba53996079e1f9b7da17a643c7d9d85af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IF{8B055D9C-D9A8-4745-A1DA-EB6BB5AFCAD1}\Deutsch.ifl

Filesize
3KB

MD5
981077ef92410cbf204c59e5465de5dd

SHA1
ad253930fd3a5edd8a81dc473f89132ff2243699

SHA256
a792f4f5edee0e158798b75b82f6ac720e51957498450161b04ee812101f801c

SHA512
3f1e30cd667a658f3a2f1388efbd712b57cc5b028de431fd995d8ff376734a8e7ec62a686502761c03214eded30b0ab445d0762b58e5d24663cd25ef8749725c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GVR3U.tmp\NMM-0.87.0.tmp

Filesize
3.1MB

MD5
234e5871bb4b3e26b1fc1f6c337fba2f

SHA1
d3c5d268c3a6b42845467c68208153735822f8e1

SHA256
4bb5a00795631613c82b5aaf9ae05170bcc4e9d095a576ed1d82d60f4a39c390

SHA512
611c8430732011ceef377f6b946c05a5ff10fe286f0481e2af8a8470c73cc55bf762854b930ad4821769d3a4f82d19f88b7cfd8e33ee8e8b67ac8ab9aed162bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UK1IA.tmp\isxdl.dll

Filesize
121KB

MD5
48ad1a1c893ce7bf456277a0a085ed01

SHA1
803997ef17eedf50969115c529a2bf8de585dc91

SHA256
b0cc4697b2fd1b4163fddca2050fc62a9e7d221864f1bd11e739144c90b685b3

SHA512
7c9e7fe9f00c62cccb5921cb55ba0dd96a0077ad52962473c1e79cda1fd9aa101129637043955703121443e1f8b6b2860cd4dfdb71052b20a322e05deed101a4

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 422656.crdownload

Filesize
8.8MB

MD5
19261726afeeb62225eabd06682e47bc

SHA1
165c6aca9d7cc12d166fcee887fc3ef6cd7ff2bd

SHA256
9b0b8d0eb59b60b3a0b04e85091e49adcc8a26dc3ce4f3ded129d5a1827509d3

SHA512
1317365234f5e64996a74c5ff25d20681b48490349b8165ea7d7e1e504c774589de6966db3d62ecd3d3339699d0ee9e35166d57a4459f5f32d4f9df8b543c01f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 697479.crdownload

Filesize
34.8MB

MD5
35357e55380a142773d2eb88df81f7da

SHA1
b9e7dc097d715a79b56742105b494dabd88b49f5

SHA256
07d16cbe3c4aebbf0842571d03ddeb3ac5e8c45e95bfa24c9c64bcb524f6b273

SHA512
411c22c77f92bb0a86f0636fca04725549fa33a266f2ee9d90233cd9ff152529764294c31a045914a238baaa12d4670282da64b0294888958b7a0cf66474a675

Download Submit
memory/224-277-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/224-262-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/536-278-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/536-261-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/536-231-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2020-715-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/5636-800-0x0000000008B70000-0x0000000008BA8000-memory.dmp

Filesize
224KB

Download
memory/5636-801-0x0000000007D30000-0x0000000007D3E000-memory.dmp

Filesize
56KB

Download
memory/5636-799-0x0000000007960000-0x0000000007968000-memory.dmp

Filesize
32KB

Download
memory/5636-798-0x0000000000360000-0x00000000003B0000-memory.dmp

Filesize
320KB

Download